M&S. Co-op. Harrods. Three of Britain’s most recognised retailers. Ten days. One entry point.

In spring 2025, attackers called IT help desks, impersonated employees, and asked for password resets. Staff complied. The credential was handed over. In every case the technical defences were bypassed completely — no exploit, no vulnerability, just a credential that should never have existed in human hands. MyCena removes the mechanism before the call is made.
Book a retail briefing →
0
Estimated lost profit — M&S, six weeks of suspended online orders from one password reset at a third-party help desk
0
Estimated combined losses — M&S, Co-op, and Harrods in ten days. Three brands. One attacker method.
0
Surge in retail ransomware attacks in Q1 2025. 60% of retail breaches originate from third-party vendor vulnerabilities.
0
Co-op members affected — names, dates of birth, contact details. Accessed via a single impersonated password reset.
The 2025 pattern

Three breaches. Ten days. Identical entry point.

The attacker group did not exploit a software vulnerability in any of the three incidents. They called a help desk, impersonated an employee, and asked for a password reset. The credential was handed over. Everything that followed — ransomware, data theft, weeks of operational disruption — flowed from that moment.

Marks & Spencer — April 2025
£300M
Attackers impersonated an M&S employee and called the IT help desk run by TCS, the third-party provider. A password reset was carried out. Online orders suspended for six weeks. £750M wiped from market capitalisation.
M&S Chairman Archie Norman confirmed to the UK Parliament’s Business and Trade Sub-Committee that the initial entry on 17 April occurred through social engineering — an attacker impersonating one of 50,000 people associated with the company, convincing a third-party help desk to reset their password. With those credentials, the attackers extracted the Windows Active Directory NTDS.dit file — the database containing password hashes for every domain user — cracked those hashes offline, and deployed DragonForce ransomware on Easter weekend. Contactless payments, Click & Collect, and online ordering were all suspended. M&S estimated £300M in lost operating profit. The company had no cyber insurance. Harrods and Co-op were hit by the same group using the same method within days.
Entry point: third-party IT help desk credential reset — confirmed by M&S chairman in parliamentary testimony
Co-op — April 2025
6.5M
Same attacker group. Same method — impersonating a colleague, answering security questions, obtaining an account reset. 6.5 million members’ personal data accessed. Co-op contained the breach within hours.
Co-op Chief Digital Information Officer Rob Elsey confirmed in parliamentary testimony that attackers “impersonated a colleague and successfully answered a number of security questions to get their account reset.” The difference in outcome — Co-op contained within hours versus M&S offline for six weeks — was detection speed and network segmentation. Co-op’s systems were heavily segmented. The attacker was confined to one zone. At M&S, detection came two days after entry. By then the attackers had moved laterally through the entire estate. The lesson is not that segmentation prevents the credential breach — it is that the credential breach happened in both cases through identical means.
Entry point: employee impersonation, account reset via security questions — confirmed by Co-op CDIO in parliamentary testimony
Harrods — May 2025
Contained
Third attack in ten days on a UK retailer. Harrods restricted internet access and isolated systems within hours. Stores remained open. The NCSC issued guidance to the entire retail sector.
Harrods confirmed attempts to gain unauthorised access to its systems on 1 May 2025. The company’s rapid response — restricting internet access across all sites and proactively isolating systems — limited the impact. No customer data was confirmed as accessed. All stores and the website remained operational. NCSC CEO Richard Horne issued a statement calling the incidents “a wake-up call to all organisations” and directed all retailers to review their IT help desk password reset processes immediately. The NCSC’s intervention made explicit what the three incidents demonstrated: the help desk is the attack surface, and the credential handed over by that help desk is the entry point.
Entry point: same attacker group and method — rapid detection limited impact

In every case the attacker authenticated as a legitimate user — because the credential was legitimate. No firewall was breached. No software was exploited. A person was deceived into handing over access. MyCena removes what is handed over: when credentials are never held by humans, there is nothing a help desk call can extract.

Risk landscape

Six credential risks specific to retail

Retail carries the standard enterprise credential gap — amplified by a specific structural vulnerability: more third-party systems, more seasonal staff, more help desk interactions, and a wider human surface for social engineering than almost any other sector.

01 — Third-party IT providers
The help desk that resets credentials it should not
M&S’s IT help desk was run by TCS. The attacker called TCS. TCS reset the password. The entire M&S breach — £300M, six weeks offline — traced to a credential handed over by a third-party help desk that could not verify who was asking.
Large retailers outsource IT operations to managed service providers. Those providers operate help desks with access to credential reset capabilities across the retailer’s entire estate. When an attacker calls that help desk with enough information to pass identity checks — information harvested from previous data breaches, social media, or earlier intrusions — the provider hands over the access. MyCena closes the mechanism: when no human holds a credential, a help desk reset produces nothing of value to an attacker.
02 — Seasonal and temporary staff
High-turnover access that is rarely fully revoked
A large UK retailer employs tens of thousands of seasonal staff every Christmas. Each holds credentials. When January comes, the offboarding process is never complete. Former seasonal staff credentials remain active. Those credentials are the dormant access paths that attackers find months later.
Retail turnover rates are among the highest of any sector. The credential governance problem scales directly with headcount — more joiners, more leavers, more credentials created, fewer revoked completely. Manual offboarding across dozens of systems — EPOS, stock management, loyalty platforms, HR systems, e-commerce backends — is the process that fails at scale. MyCena revokes all access in seconds, across every system, with one command and a timestamped log.
03 — Payment and loyalty systems
Credentials that reach card data and customer records
Retail credentials access payment processing systems, loyalty programme databases, order histories, and customer personal data. 26% of data compromised in retail breaches is credential data. 12% is payment data. The credential is the route to both.
PCI DSS v4.0 requires individual user accountability for every access event to cardholder data environments. Shared credentials on EPOS systems, payment terminals, and back-office financial platforms fail this requirement directly. A shared login on a payment system is simultaneously a PCI compliance failure, a GDPR exposure, and an audit finding — and in the event of a breach, the shared credential means nobody can identify which individual accessed what data or when.
04 — Omnichannel integration
Dozens of third-party platforms, each with credential access
A major retailer connects to fulfilment partners, logistics providers, marketplace platforms, payment gateways, loyalty technology providers, and marketing systems. Each integration requires credentials. 60% of retail breaches originate from third-party vendor vulnerabilities.
Every third-party platform that connects to a retailer’s core systems holds credentials to those systems. When any one of those providers is compromised — or when their employee is socially engineered — the retailer’s systems are exposed. The M&S breach entered through TCS. The Adidas breach entered through a third-party customer service provider. In retail, the attack surface is the size of the supply chain, not the size of the retailer’s own IT estate.
05 — Consumer trust
60% of consumers avoid retailers after a breach
A retail credential breach is not just a security event — it is a customer event. M&S’s share price fell 15% in the weeks after the breach was confirmed. Surveys show 60% of consumers say they would likely avoid a breached retailer, with higher-income customers even more likely to leave permanently.
Retail operates on repeat purchase and brand trust. A healthcare breach causes clinical harm. A manufacturing breach stops a production line. A retail breach does both of those things in commercial terms — it destroys the customer relationship that every marketing pound was spent building. The £750M M&S market cap loss in the days after disclosure was not the cost of the breach. It was the market’s estimate of what the loss of customer trust was worth over time.
06 — Regulatory
ICO, GDPR, and PCI DSS enforcement after a customer data breach
M&S confirmed that customer personal data — names, addresses, dates of birth, and order histories — was accessed. The ICO and other regulators are assessing whether proper technical measures were in place. GDPR fines for inadequate access controls at a retailer of M&S’s scale can reach 4% of global turnover.
GDPR Article 32 requires appropriate technical and organisational measures. When the entry point is a credential handed over by a help desk that could have been governed structurally — when MyCena could have made that reset produce nothing — the regulator’s question is whether the organisation took the available structural measure or relied on procedural controls that demonstrably fail. The ICO’s enforcement approach after the 2025 retail wave will be watched closely across the sector.

“The attacker did not break into M&S. They called the help desk and asked to be let in. That is not a security awareness problem. It is an architectural one.”

Where credential control applies

The retail credential entry points MyCena closes

MyCena governs the authentication layer across retail systems. The specific entry point in every 2025 UK retail breach — a credential reset via a help desk — is closed when no credential exists in human-visible form. There is nothing for a help desk to reset that gives an attacker access.

MyCena governs
Third-party IT provider access
MSP and help desk staff with credential reset capability across retail systems
✓ M&S/TCS help desk entry point — closed structurally
The retailer generates all credentials centrally. The third-party IT provider never holds credentials they can reset or hand to an attacker. When an impersonator calls the help desk, there is no credential to reset that grants access — because the credential is invisible, generated by the retailer, and injected at authentication. The TCS help desk attack vector is closed architecturally, not procedurally.
MyCena governs
Seasonal and permanent staff access
Store staff, warehouse operatives, head office employees across all retail systems
✓ Dormant credential and offboarding gap — closed structurally
Every staff member authenticates through centrally generated credentials. When the Christmas season ends, all seasonal staff access is revoked in seconds — across every system simultaneously — with one command and a timestamped log. No manual offboarding list. No missed system. No dormant credential left active for an attacker to find months later.
MyCena governs
EPOS, payment, and loyalty systems
Till operators, payment system administrators, loyalty platform managers
✓ PCI DSS individual accountability — satisfied architecturally
Every till operator and payment system user has individually generated credentials. No shared logins. Every access event to cardholder data environments is attributed to a named individual with a precise timestamp — satisfying PCI DSS v4.0 Requirement 8 architecturally rather than through policy attestation. The audit log is generated continuously as a byproduct of normal operation.
MyCena governs
Omnichannel and supply chain partners
Logistics providers, fulfilment partners, marketplace integrations, third-party platforms
✓ Third-party vendor credential access — governed from the retailer side
Every third-party partner accesses retail systems through credentials the retailer generated and controls. When a relationship ends or an incident is detected, all access is revoked in seconds across every connected system. The 60% of retail breaches that enter through third-party vendors are closed when the retailer owns every credential that reaches their systems — not the vendor.
What MyCena delivers

The structural fix the NCSC told every retailer to make

After the 2025 retail attacks, the NCSC directed all organisations to review their IT help desk password reset processes. MyCena is the architectural answer to that review — removing the mechanism rather than adding a procedure.

Help desk reset produces nothing — the M&S entry point closed
When credentials are generated centrally and injected invisibly at authentication, a help desk credential reset produces a credential that gives the attacker nothing — because the real credential is governed by the retailer’s system, not the help desk. The social engineering attack that took M&S offline for six weeks finds no mechanism to exploit.
Seasonal staff revocation in seconds — not weeks
All seasonal staff access revoked in seconds with one command — across every system, every platform, every integration simultaneously. A timestamped log produced automatically. No manual process across 40 systems. No missed credential left active. The dormant access path attackers exploit months after departure does not exist.
PCI DSS v4.0 individual accountability — architectural
Every access event to cardholder data environments is attributed to a named individual, timestamped to the second, and logged continuously. PCI DSS v4.0 Requirement 8 — individual authentication, no shared credentials, full audit trail — satisfied architecturally. The PCI assessment receives the log, not a policy document assembled before the assessment.
Cyber insurance — evidence for premium negotiation
M&S had no cyber insurance. The £300M loss came entirely from the company’s own accounts. UK retailers are now facing premium hikes of up to 10% as insurers reassess the retail sector after 2025. Structural credential governance — with continuous access logs and demonstrated instant revocation — provides the underwriting evidence that supports negotiation at renewal. M&S had insurance coverage as a question during its recovery; that question is now being asked of every major retailer.
£440M
combined losses across three retailers in ten days — one attacker method, one entry point
Every pound of that loss traces to a credential that was handed over by a help desk. Not stolen through a technical exploit. Not obtained through a sophisticated zero-day. Asked for — and given — because the credential existed in human hands and a human could be deceived into providing it.
What the chairman said
M&S Chairman Archie Norman told the UK Parliament’s Business and Trade Sub-Committee: the entry was “what people now call social engineering — a euphemism for impersonation.” He confirmed the attacker called the third-party help desk, impersonated an employee, and obtained a credential reset. A retailer briefed on this finding that defers action on credential governance has now documented its awareness of a known architectural gap. The ICO’s post-breach assessment will ask whether the available structural measure was taken.
How it works

Credential governance without disrupting retail operations

No EPOS system modified. No payment infrastructure changed. No loyalty platform disrupted. Staff experience one difference: they click to connect instead of typing a password.

Step 01
Retailer generates all credentials centrally
Every credential for every system — staff, third-party IT provider, logistics partner, payment platform — is generated by the retailer through MyCena. No individual creates their own access. No provider brings credentials to the retailer’s network. Credential ownership is the retailer’s from the moment of creation.
Step 02
Invisible injection — nothing for a help desk to hand over
Staff click to connect to any system — till, stock management, loyalty platform, e-commerce backend. MyCena injects the credential at authentication. Nothing is displayed, typed, or held in memory. When an attacker calls the help desk impersonating an employee, there is no credential the help desk can reset that gives the attacker access to what MyCena governs.
Step 03
Continuous access log — GDPR and PCI evidence generated automatically
Every access event is logged — which staff member, which system, timestamp to the second. The GDPR technical measures evidence and PCI DSS audit trail are generated continuously. Regulators receive the log, not a document assembled under examination pressure.
Step 04
Instant revocation — seasonal staff, partners, all systems
Christmas season ends: one command, all seasonal staff access revoked across every system in seconds, timestamped log produced. Third-party relationship ends: same command, same speed. Suspected incident detected: immediate revocation before lateral movement. No manual process. No missed system. No dormant credential.
Regulatory framework

GDPR, PCI DSS, NIS2, and cyber insurance — all require what MyCena delivers

Every retail access control framework requires demonstrable evidence of individual accountability and third-party governance. MyCena generates that evidence continuously.

GDPR — Article 32 technical measures
✓ Architectural technical measures — structural
GDPR Article 32 requires appropriate technical and organisational measures to ensure security appropriate to the risk. The ICO’s post-breach assessment after the 2025 retail attacks will focus on whether structural access control measures were taken. MyCena’s central generation, invisible injection, and instant revocation architecture is the technical measure Article 32 requires — not procedural controls that demonstrably fail under social engineering.
PCI DSS v4.0 — Requirement 8
✓ Individual attribution — satisfied architecturally
PCI DSS v4.0 Requirement 8 mandates unique authentication for all cardholder data environment access, individual accountability for every access event, and elimination of shared credentials on payment systems. MyCena satisfies all three architecturally. The PCI assessment receives a continuous access log, not a policy assertion assembled before audit.
NIS2 — Articles 20 & 21
✓ Supply chain governance — structurally satisfied
Retailers classified as essential or important entities under NIS2 face personal management liability for ICT risk governance failures and must demonstrate supply chain security including third-party credential governance. The M&S breach — third-party IT provider credential — is the scenario NIS2 Article 21 was written for. Management briefed on this pattern who do not act are within scope of NIS2 Article 20 personal liability.
ICO enforcement — post-2025 retail focus
✓ Demonstrable measures — evidence continuous
The ICO is assessing the 2025 retail breaches for GDPR compliance. The central question is whether retailers took the available technical measures to prevent credential-based access. Structural credential governance — not awareness training, not procedural help desk controls — is the technical measure the ICO expects from organisations of M&S’s scale and digital maturity.
Cyber Essentials Plus
✓ Access control requirements — structural
Cyber Essentials Plus requires access control verification, user account governance, and authentication security. Retailers supplying government contracts or public sector procurement must hold CE Plus. MyCena satisfies the technical access control requirements architecturally — not through self-attestation that procedural controls are in place.
Cyber insurance — post-2025 retail underwriting
✓ Level 4–5 maturity — premium evidence
UK retailers are facing cyber insurance premium increases of up to 10% following the 2025 retail breach wave. M&S had no cyber insurance — the £300M loss was uninsured. Underwriters are now explicitly assessing help desk identity verification, third-party access governance, and credential control as rating factors. MyCena provides the structural evidence that supports premium negotiation and demonstrates the governance standard insurers are requiring.
Retail credential briefing
A 45-minute briefing on credential control for retail — specific to your IT provider landscape, staff turnover profile, and regulatory obligations.
Book a retail briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.