The recent cyberattack on UK retailer, Marks & Spencer (M&S), along with similar threats to Harrods and the Co-Op, is a stark reminder that no retail channel is immune from compromise. While the M&S breach initially appeared to stem from a social engineering attack on IT help desk staff, new details reveal that hackers gained access through a third-party supplier with system access.
The attack caused widespread operational disruption - shutting down online orders, impacting food systems, and stalling app-based services for weeks. This isn’t just a one-off failure - it exposes a deeper systemic risk: as retailers rely more heavily on digital infrastructure, mobile apps and APIs become critical attack surfaces.
A Wake-Up Call for Retailers
The M&S incident was particularly devastating because it targeted the very systems that underpin the retailer’s digital operations. Attackers, believed to be the group Scattered Spider, manipulated IT access - directly and through third-party systems - and once inside, unleashed ransomware that stalled services ranging from click-and-collect to contactless payments.
The attack caused millions in lost sales, with analysts estimating over £40 million per week in impact since it began over the Easter bank holiday weekend. Online orders were paused for more than three weeks, and some food shelves were left empty as M&S was forced to take certain systems offline. In a precautionary move, M&S shut down key IT operations, effectively locking itself out of core systems to contain the threat.
On 13 May, M&S confirmed that personal customer data had been compromised, including names, birth dates, contact details, household information, and online order histories - a severe blow to customer trust.
Though this breach wasn’t mobile-specific, it highlights how dependent retail now is on digital infrastructure, including mobile apps. Mobile is no longer just a customer touchpoint - it’s a critical business system, and increasingly, an attack vector.
Mobile Apps: A Hidden Security Risk
Retail mobile apps handle a wide range of sensitive data - user credentials, payment details, loyalty points, and personal shopping history. These apps communicate heavily with backend APIs, which, if left unsecured, can be reverse-engineered, manipulated, or exploited.
Without strong protections:
- Attackers can impersonate legitimate apps
- API calls can be spoofed or replayed
- Sensitive data can be scraped or exfiltrated
- Mobile sessions can be hijacked at scale
And none of this requires physical access—a single compromised device or emulator can launch thousands of malicious API requests undetected.
Mobile Security: Defense in Depth
Modern mobile apps run in untrusted environments yet handle sensitive information, making robust, layered protection essential.
Key elements of mobile app security include:
- App Attestation: Verifies API requests originate from legitimate, untampered apps—not bots, emulators, or rogue clients.
- Secure API Access: Ensures only attested, authenticated apps can interact with backend services.
- Runtime Threat Detection: Identifies rooted/jailbroken devices, reverse engineering tools, and other high-risk signals.
- Secrets Protection: Prevents extraction of API keys and tokens, even if an app is decompiled.
Without these measures, attackers can impersonate users, abuse rewards programs, scrape sensitive data, and severely disrupt mobile commerce operations - damaging customer trust and business continuity.
Approov: Securing the Mobile Channel
Approov provides an end-to-end mobile security solution purpose-built to protect the mobile channel and the APIs it depends on. Unlike static security measures, Approov uses dynamic, cloud-based app attestation to ensure that only genuine, untampered apps can access backend services.
Key capabilities include:
- Dynamic App Attestation: Validates each app instance in real time before allowing API access, blocking modified apps, bots, and unauthorized access.
- Runtime Threat Detection: Detects emulators, debuggers, root access, and tampering tools to prevent attacks from compromised environments.
- Secrets Protection: Ensures API keys and tokens are delivered just-in-time and never stored in the app, eliminating the risk of key extraction and abuse.
For retailers, this means protecting mobile channels without sacrificing user experience, ensuring resilience, trust, and uninterrupted service even under attack.
Don’t Wait for a Mobile Breach
The M&S attack is a cautionary tale. Mobile wasn’t the initial entry point—but its disruption had real, measurable impact, halting digital orders and shaking customer confidence.
With attacks on the Co-Op and attempted breaches at Harrods, and with both customer and staff data exposed, it’s clear that retailers are facing coordinated, multi-channel threats.
The lesson? Secure every layer. In today’s retail landscape, mobile and API security cannot be an afterthought.
