COMMENTARY: In recent weeks, three major UK retailers have fallen victim to ransomware attacks, with the DragonForce group claiming responsibility.And just yesterday, one of the three, Marks & Spencer, disclosed that its customer data was stolen in a cyberattack three weeks ago.These incidents are not isolated or coincidental—they reveal a trend that could turn global.As a former head of IAM in retail, I deeply empathize with the
teams on the inside, working night and day to recover. During an attack, it’s tough to get sleep, stress runs high, and trust comes hard. It’s a disorienting time where every decision feels critical. Recovery often demands draconian measures just to regain control, but teams aim to to restore normal operations, giving people back the tools to do their jobs, and keeping the shelves stocked and the tills running.[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]For those on the outside, it’s important to know that the attackers compromised all three retailers
by targeting gaps in identity, using age-old social engineering techniques to steal credentials and weave their way into their networks.They are a reminder to retailers that all companies are targets—but they’re also a rare opportunity to rapidly advance security measures by capturing executive imagination with real-life examples of how attackers can weaponize weaknesses. Attacks like these can drive the changes necessary to get identity firmly at the top of the security agenda—after all: control account compromise and it’s possible to control ransomware.If we can learn anything from these recent attacks, it’s that now’s the time to rethink how the industry perceives identity—not just as an operational and efficiency function, but with the right mindset, as a critical security control. Identity and access management (IAM) and security teams that have long pushed for deeper protections should use this opportunity to move those plans forward. Now’s the moment to act.In large retail organizations, we often drive change by compliance requirements or the pursuit of operational efficiency, not security. The technologies in place were never designed with modern threat landscapes in mind, leaving security as a happy, albeit incomplete, by-product. It’s a legacy we’re still contending with, especially when it comes to identity.We see this in action in the three main models that dominate retail identity management:
The minimal access model: Most frontline workers don’t have accounts, and systems like Point-of-Sale (PoS) terminals are shared and locally managed. These environments are heavily segmented and seen as relatively low risk. But this also limits what digital tools can do to support the business.The enabled-but-unprotected model: Everyone has an account, but security controls are only rolled out to knowledge workers, not the retail employees working the storefront. Efficiency improves, but the attack surface grows massively without corresponding security investments. It’s a digitized workforce—but not a protected one.The rare few: Some smaller or more security-conscious retailers have extended protection—often in the form of MFA—to all staff, including frontline workers. But this remains the exception, not the norm.Identity too often gets managed in silos as a function of compliance and efficiency, particularly in people-dense industries like retail, logistics, or public sector services. What attackers understand—and defenders under-resource—is that it’s also one of the easiest vectors to exploit. And with the digitalization of the frontline workforce, it’ll only get easier.
Make identity a security priority
The operational cost of rolling out strong identity controls like MFA to even a portion of the company’s users can feel significant. But that cost pales in comparison to the financial, reputational, and operational damage caused by a successful ransomware attack.Restoring functionality after an attack is not just about rebuilding or even reimaging systems. It’s about untangling complex interdependencies and re-evaluating long-standing architectural decisions. It’s about rebuilding trust that the person on the other end of that Zoom call or email thread is who they say they are. Ultimately, it can take months and sadly, the true costs are enormous.In times of peace, it’s incredibly hard to justify a change that could disrupt day-to-day efficiency, even if it improves overall security. But in the wake of an attack, priorities change and old barriers fall away. Here’s where transformation becomes possible—not just for those in the middle of it, but also for the onlookers.With three major UK retailers hit in quick succession, and the same underlying gaps exploited, it’s no longer a question of if this could happen elsewhere, but when. We’ve seen this pattern before: MGM, Uber, and others.The vector doesn’t change because it still works. A compromised identity worked then, and it continues to work now. Retailers around the world now have their chance to think bigger, act upstream, and use these attacks to change identity from being an operations function to a vital security control.For those now in the trenches of a breach, know that this will pass. It’s difficult to recover, but possible—and there’s a community of practitioners ready to support victims of attacks.For everyone else, don’t wait for a personal wake-up call. These attacks are an opportunity to shift mindsets, both within and around the industry. Identity is not just about keeping auditors happy or shelves stocked. It’s about stopping real threats, protecting real people, and ensuring operational resilience. Treat identity as a core part of the organization’s security strategy, not an efficiency play, and take control against identity-first attackers.Rob Ainscough, chief identity security advisor, Silverfort; former head of IAM, TescoSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
