The significant cyber incidents impacting major UK retailers, starting in late April 2025, are not isolated events; they are stark warnings for the entire interconnected supply chain, including the food manufacturing sector which is a key part of the UK’s Critical National Infrastructure (CNI) facing upcoming regulatory changes under NIS 2.
On 21 April 2025, Marks & Spencer began grappling with a significant cyber incident. M&S confirmed a ransomware attack, attributed to the ‘Scattered Spider’ group. Security analysts at sources, including Specops Software and BleepingComputer, report the deployment of a DragonForce encryptor, which caused extensive disruption: online orders were suspended for at least 11 days (until 2 May), and in-store systems like payments and stock management were severely impacted.
The potential financial cost, estimated by Specops Software at roughly £3.8 million per day in lost sales, underscores the severity.
On 30 April, shortly after the M&S attack, the Co-op blocked remote access for its staff to contain an attempted intrusion into its systems. While the impact was reportedly limited to back-office and call-centre functions, with no evidence (yet) of data compromise, it demonstrated the rapid response needed. Then, on 1 May, Harrods reported “attempts to gain unauthorised access,” marking the third major retailer targeted in just 10 days.
Cybercriminals recognise food-focused attack as potent weapon
For food manufacturers, these events are critically relevant. Firstly, disruption at major retail partners directly impacts your operations – orders cease, logistics falter, and visibility is lost. Secondly, and more concerningly, these attacks underscore the vulnerability of the complex, digitally dependent systems we all now rely on.
The food and drink sector increasingly relies on interconnected technology, from process control via operational technology (OT) and inventory management (IT) to logistics and supplier communications. This digitalisation, while boosting efficiency, expands the potential attack surface. Furthermore, an OT disruption upstream risks triggering food safety non-conformities under standards like BRCGS, firmly linking cyber risk to core compliance and safety mandates.
Threat actors increasingly recognise the high-impact potential of disrupting the food supply – whether through ransomware targeting operational continuity, intellectual property theft targeting valuable recipes and processes, or malicious tampering that compromises food safety and public health. The tactics used against M&S, reportedly involving social engineering and exploiting known vulnerabilities, are common methods that can target any organisation. These incidents highlight critical vulnerabilities, demanding specific, proactive measures from food manufacturers.
Call to action for food manufacturing leaders
These retail incidents must serve as an immediate catalyst for action within the food manufacturing industry. Complacency is not an option. We urge you to:
- Conduct urgent cyber posture reviews: Immediately reassess your organisation’s cybersecurity defences, aligning assessments against recognised frameworks like the NCSC Cyber Assessment Framework (CAF). Prioritise vulnerability scanning and penetration testing, particularly on internet-facing systems, remote access points, and crucial IT and OT interfaces.
- Validate and test incident response plans (IRPs): Don’t just have a plan, rigorously test it through tabletop exercises involving key stakeholders beyond IT, including plant operations, QA, and H&S teams. Define and aim for realistic recovery time objectives (RTOs). Could you recover critical production lines within, for example, four hours? Ensure clear procedures exist for detection, containment, eradication and recovery, referencing incident management guidance from bodies like NCSC.
- Reinforce cyber hygiene fundamentals: Patch systems promptly, especially addressing known exploited vulnerabilities; enforce strong, unique passwords and comprehensive multi-factor authentication (MFA); and review network segmentation rigorously, ensuring strict separation of critical OT/production environments from business IT networks.
- Intensify workforce vigilance: Enhance employee training on recognising sophisticated phishing attempts and social engineering tactics. Human interaction remains a primary vector for initial access. Ensure IT helpdesks have robust verification procedures.
- Scrutinise third-party risk: Evaluate the security posture of critical suppliers and partners within your supply chain (logistics, ingredients, packaging, software/automation vendors). Their vulnerability is your vulnerability. Contractually require evidence of their security maturity (e.g., Cyber Essentials Plus certification or adherence to specific framework controls).
- Prioritise OT security: Recognise that OT security requires specific expertise and controls, distinct from traditional IT. Draw on established standards like ISA/IEC 62443 and NIST SP 800-82 to guide the protection of industrial control systems. Track meaningful metrics, such as the ‘percentage of critical OT assets accessible only via MFA-protected jump-hosts’ or the ‘mean time to isolate a compromised PLC’.
- Foster collaboration and seek expertise: Share anonymised threat intelligence and best practices through industry bodies (e.g., Food & Drink ISAC). Leverage resources like the NCSC’s “Exercise in a Box – OT edition” to improve preparedness or engage local IASME-certified assessors for guidance.
The threat is real, sophisticated, and actively targeting UK businesses across the supply chain. Proactive investment in robust cybersecurity is not merely an IT cost but an essential component of business continuity, risk management, regulatory compliance, brand protection, and ensuring food safety and security in the UK.
Treat digital security with the same rigour as food safety protocols.
