All Articles
May 13, 2025
Harrods, the UK’s iconic luxury department store, was hit by a cyberattack in late April 2025… just days after Marks & Spencer was taken offline by a similar assault. While Harrods didn’t shut down operations entirely, the response was swift: network restrictions, internal panic, and quiet containment.
Harrods, the UK’s iconic luxury department store, was hit by a cyberattack in late April 2025— just days after Marks & Spencer was taken offline by a similar assault. While Harrods didn’t shut down operations entirely, the response was swift: network restrictions, internal panic, and quiet containment.
It’s the third UK retailer in two weeks to be targeted. And it’s a signal: the retail sector is wide open.
Let’s break down what happened, what vulnerabilities this kind of attack exposes, and how Konvergence’s zero-layer backend would have made the entire exploit path a dead end.
How the Attack Unfolded
On April 30, Harrods detected unusual activity on its internal systems. By May 1, they confirmed a cyberattack had occurred. Publicly, they downplayed it: “We’re still operating,” they said. But cybersecurity analysts familiar with the situation pointed to telltale signs of a deeper issue:
Internal internet access was restricted across locations
Systems tied to employee workflows were temporarily taken offline
The company remained vague about how the breach began, hinting at an MFA fatigue or impersonation vector
The timing—and techniques—suggest involvement by Scattered Spider, the same group linked to the M&S attack days earlier. Known for phishing, social engineering, and exploiting identity systems that rely on trust over proof, they target organizations where legacy IT infrastructure still assumes “internal means safe.”
Why Retail Is Getting Hit So Hard Right Now
Harrods—and other big-name retailers—run sprawling, hybrid tech stacks. They’ve got:
Public-facing websites
Internal ERP and HR systems
Vendor APIs and POS integrations
Massive customer data lakes
Most of these systems are glued together with middleware that assumes identity equals trust. If someone gets access to a single admin tool, they can pivot between subsystems almost invisibly. DNS maps help attackers understand what’s connected to what.
What’s worse: staff still rely on passwords, push approvals, and helpdesk resets. All of these can be tricked. And once inside? There’s often no segmentation, no cryptographic proof needed to move laterally, and no automated rollback once ransomware starts encrypting files.
That’s exactly the environment groups like Scattered Spider exploit.
What a Zero-Layer Architecture Would Have Changed
Here’s how Konvergence would have shut this attack down—before it even got started:
Identity Is Cryptographic, Not Behavioral
Phishing and impersonation don’t work when every service and user has to cryptographically sign each interaction. There’s no “approve” button, no password resets, no workaround. You either prove who you are—or you’re not in.
There’s No DNS to Pivot Through
In Konvergence, service discovery happens over private, encrypted channels. DNS isn’t just hidden—it doesn’t exist. You can’t scan, spoof, or map something that’s not there.
Every Service is Its Own Trust Boundary
Lateral movement fails when you can’t cross boundaries without re-authenticating cryptographically. Even if one staff credential were compromised, the attacker wouldn’t get access to anything else.
Ransomware Gets Rewound Instantly
Thanks to Merkle Clocks, all system changes are logged immutably. When something bad happens—like ransomware encryption—Konvergence auto-reverts the system state to before the infection. No need to rely on backups or SOC analysts.
Vendor Access is Zoned, Not Global
Third-party vendors and tools operate in isolated service zones. Even if a vendor credential is compromised, there’s no path to other data or infrastructure.