May 6th 2025
The National Cyber Security Centre (NCSC) has issued a warning following a spate of cyber incidents affecting major UK retailers, including M&S, Harrods and the Co-op. These incidents led to disruption of online ordering systems, impact on customer services, and in some cases, data breaches.
While these attacks were aimed at retail businesses, the implications are far wider — including for adult social care providers.
“This is a timely reminder of how vulnerable even major companies like M&S and the Co-op can be. But remember, cyber criminals don’t always come looking for you directly – they scan for vulnerabilities across the board. Weak spots get hit first. Basic cyber hygiene such as strong passwords, MFA, staff training, patching, and a solid continuity plan can make all the difference.”
Daniel O’Shaughnessy, Head of Programme Delivery, Digital Care Hub
The NCSC has stated:
“Criminal activity online – including, but not limited to, ransomware and data extortion – is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared.”
National Cyber Security Centre
Why this matters to social care
The NCSC’s warning focused on attacks that compromised third-party suppliers, affecting multiple well-known high street brands. It’s a good example of how one weak link in a supply chain can have a knock-on effect for many other organisations.
Social care providers are not immune to these kinds of risks. Whether it’s ordering PPE, groceries, office supplies, or uniforms, many care providers rely on online platforms to keep their services running smoothly. A cyber attack that interrupts your access to suppliers — or compromises your staff’s or residents’ data — could quickly lead to serious disruption.
In some cases, email addresses used to make purchases or receive receipts may be targeted in phishing attacks, reused in other scams, or leaked in a data breach. If the same passwords are used across different accounts, the risk is even higher.
Steps you can take
There are several practical actions you can take to reduce your risk and improve your ability to respond to incidents.
- Secure your email systems
Email is one of the most common entry points for cyber criminals. Make sure your work email accounts are protected with strong passwords and, ideally, multi-factor authentication (MFA). MFA is a simple but highly effective way to stop unauthorised access — even if someone knows your password. Consider using a password manager.
Encourage staff not to use work email accounts for personal online shopping, and vice versa. Where personal shopping is done on shared work devices, consider how you can reduce exposure through better access controls and user awareness.
- Review your password reset and IT help desk processes
Recent cyber attacks have used social engineering, where criminals impersonate IT support to trick employees into handing over login details. And sometimes it is the other way around – calling people who work on the help desk and pretending to be an employee locked out of their account.
The NCSC has specifically warned organisations to review how their IT help desks authenticate staff before resetting passwords, especially for senior employees or those with admin access.
Work with your IT supplier to make sure your systems and support processes are robust. This might include introducing code words, additional identity checks, or MFA before allowing password changes.
These measures help ensure that both your staff and your IT support teams are protected from impersonation attacks.
- Check your recovery processes
If an email account is hacked or your systems go down, could you still communicate with key people? Make sure you and your IT support know how to reset accounts securely, and that recovery email addresses or phone numbers are up to date.
Have a clear process for what to do if an account is compromised — including how to alert others and limit the damage.
- Have a business continuity plan
Could your service continue to run if you lost access to your systems, email, or key suppliers for 24 hours? 48 hours? Longer?
Every care provider should have a business continuity plan that covers cyber incidents. This should include how you’ll communicate during a crisis, how you’ll access critical supplies, and how you’ll keep residents and staff safe.
Who do you need to communicate with if something goes wrong? What do you need to tell them, when and how frequently do you need to keep in touch as things change?
- Use free tools to improve your cyber resilience
You don’t have to do this alone. There are free resources that can help:
- The Data Security and Protection Toolkit (DSPT) is a free, annual self-assessment that helps you check and improve your approach to data protection and cyber security.
- The NCSC Early Warning System is a free service that alerts you if your IT systems are associated with a known cyber threat.
Both tools are free, simple to use and tailored to help you act before an incident becomes a crisis.
Need help?
The Digital Care Hub has a full section on cyber security specifically designed for care providers. Whether you’re a small home care agency or a large residential provider, the guidance is practical, accessible, and jargon-free.
Cyber attacks on the retail sector might seem distant, but they are a stark reminder that no organisation is too big or too small to be targeted — or affected. By taking a few simple steps now, you can protect your staff, your service, and the people you care for.
Is your organisation cyber ready? Find out more about data protection and cyber security for care providers.
View all News