Lessons from M&S and Co-op breaches: Why identity security must be a priority across EMEA

Spence Young
In recent weeks, the retail sector in the UK was shaken by data breaches affecting Marks & Spencer (M&S), the Co-operative Group (Co-op) and Harrods.
While each incident had its own technical and operational specifics, both underscore a broader truth: identity is now the primary attack vector, and organisations must modernise their security strategies to keep pace.
What happened?
M&S experienced a breach involving unauthorised access to employee data through a third-party payroll provider, while Co-op’s incident involved compromised customer data through a digital service provider. In both cases, the attackers exploited weak points in the identity chain—trusted systems and users that weren’t sufficiently protected or monitored.
These types of breaches are increasingly being coupled with ransomware attacks that leverage a double-extortion model: not only is data encrypted to disrupt operations, but it's also exfiltrated and used as leverage to demand payment under the threat of public exposure. Attackers aren't just locking systems—they're weaponising stolen identities and sensitive data to maximise pressure and impact.
This isn't just a UK problem. Across EMEA, we're seeing a rise in cyber incidents where identity is the key enabler. Attackers are shifting tactics from financial services to manufacturing and beyond, and traditional perimeter defences are no longer enough.
The identity security wake-up call
These breaches are stark reminders that privileged access isn’t just about admins in IT. Every employee, third-party partner, and service account represents potential exposure if not properly secured. Identity is now the new perimeter—and it must be treated as such.
Key takeaways for organisations across EMEA:
- Zero Trust is not optional: Assume breach, validate continuously. No one—internal or external—should be implicitly trusted.
- Privileged access must be just-in-time and just-enough: Always-on, over-provisioned access is a liability.
- Third-party risk is identity risk: Supply chains and service providers must be held to the same standards as internal systems.
Moving from reactive to proactive security
The future of cyber resilience lies in full-spectrum identity security. That means going beyond passwords and MFA, and putting controls around every identity—human and machine, inside and outside the organisation.
Organisations that take a holistic approach—combining least privilege principles, continuous validation, session monitoring, and intelligent automation—are in a far better position to defend against modern threats.
At Delinea, we support this shift by helping organisations simplify and strengthen how they manage and protect access across their environments—without adding friction for users or IT teams.
As AI-enabled attacks and ransomware campaigns become more frequent and sophisticated, the cost of delay is growing. Modern identity security isn't just an IT issue—it’s a business imperative.
Strengthening trust in a shifting threat landscape
The M&S and Co-op incidents are cautionary tales, but they also offer a chance to re-evaluate how your organisation approaches identity security. In today's threat landscape, protecting data means protecting identities. Let's make sure we're ready.
