DragonForce Hit Three Retailers. Three Different Outcomes. Here's Why.

Earlier this year, the DragonForce ransomware gang (working with Scattered Spider affiliates) hit three major UK retailers within weeks of each other. Same threat actor. Similar attack methods. Similar enterprise security stacks.

Three completely different operational outcomes.

Marks & Spencer: Shut down warehouses and logistics systems for weeks. Staff sent home. Empty shelves. Supply chain chaos. Customer services were unavailable. The shutdown cost more than the breach itself.

Co-op: Data was stolen. They confirmed this publicly. But they maintained selective operations throughout the incident. Strategic isolation of compromised systems. Faster containment. Continued serving customers.

Harrods: Restricted internet access, isolated affected systems. Physical stores stayed open. Online operations continued with controls. Minimal customer disruption.

The difference wasn’t in prevention quality. All three had enterprise security. All three got breached anyway. The difference was operational resilience during the incident, specifically, confidence about what application data was actually at risk.

This is the assumed breach strategy in practice. Not defeatist pessimism, but pragmatic planning for what happens when prevention eventually fails. DragonForce proves the point: determined attackers get through enterprise security. The question isn’t if they’ll breach your perimeter. The question is what happens next when they do.

That confidence determines whether you make strategic decisions or panic responses.

M&S detected the breach. Then faced the question every organisation faces during security incidents: what do we shut down?

Without confidence about which applications had transmitted data, and where that data went, they made the only rational decision available: shut down everything that could possibly be at risk.

Warehouses stopped. Distribution centres closed. Staff sent home. Customer-facing services went dark.

Not because the attack was so devastating that they had no choice. Because they had no visibility into what application data was at risk. When you don’t know which systems transmitted sensitive data during the compromise, wholesale shutdown is the only defensible position you can take.

The empty shelves weren’t caused by ransomware. They were caused by a lack of data protection confidence during the incident.

This is where revenue protection during incidents becomes critical. Every day of shutdown equals lost sales, supply chain penalties, and customer defection to competitors who stayed operational. The operational resilience gap didn’t just cost M&S technical recovery time; it also cost business continuity and market position during the weeks their systems remained dark.

This is the pattern I’ve seen repeatedly in 40 years: companies with sophisticated security still shutting down for weeks after breaches, not because the technical damage was irreparable, but because they couldn’t answer basic questions about application data risk.

Co-op got breached. They publicly confirmed that data was stolen. Yet their operational outcome was different.

They didn’t shut down everything. They made strategic isolation decisions: compromised systems got disconnected, but customer-facing operations continued with controls.

I don’t have inside knowledge of Co-op’s security stack. But their operational response demonstrates something critical: they had enough visibility during the incident to make nuanced decisions about what actually needed to stop versus what could safely continue.

That’s not prevention. That’s operational resilience. The ability to make strategic decisions during active security incidents instead of panic responses that destroy business value.

Strategic triage requires knowing what application data is at risk. Without that confidence, you default to M&S’s wholesale shutdown approach.

Harrods took a different approach entirely. When they detected the compromise, they restricted internet access and isolated affected systems. But their physical stores stayed open. Online operations continued with security controls. Customer experience remained largely unaffected.

This is what operational resilience looks like: measured response based on understanding of actual risk, not fear-based assumptions about worst-case scenarios.

Whilst DragonForce was sophisticated enough to breach enterprise security, the business impact of Harrods’ incident was minimal compared to M&S’s extended shutdown. Not because Harrods had better prevention. But because they could make operational decisions based on confidence about what systems were actually at risk.

Notice the pattern? All three retailers had enterprise security. All three invested in prevention controls. Yet only two maintained operational resilience during their incidents.

This is prevention theatre vs real resilience in action. Prevention controls are necessary. Deploy them, maintain them, and fund them properly. But operational resilience requires data protection confidence during incidents when prevention eventually fails.

M&S’s extended shutdown wasn’t a prevention failure. It was an operational resilience gap. They couldn’t answer the question: “What application data is actually at risk right now?” Without that answer, shutdown was their only rational choice.

When prevention fails, and determined attackers prove it does, operational capability during the incident determines your business outcome. Not your prevention investment.

What follows is some technical analysis for security teams. Not interested in technical details? Skip to “The Application Data Gap”

DragonForce uses sophisticated attack chains that bypass traditional security tools. Here’s what they actually do, and why conventional DLP doesn’t stop them:

Stage 1: Initial Access
Phishing campaigns and social engineering (the Scattered Spider speciality). Stolen credentials from previous breaches. Once inside the network perimeter, they use tools like Mimikatz to harvest additional credentials from memory.

Stage 2: Establish Presence
PowerShell scripts for persistence. Cobalt Strike for command-and-control infrastructure. These are legitimate IT administration tools being weaponised, which is why endpoint protection often misses them initially.

Stage 3: Discovery & Lateral Movement
Active Directory enumeration to map the network. Port scanning to find vulnerable systems. Manual file searching for high-value data. Then, lateral movement via RDP, SMB protocols, and legitimate remote access tools.

Stage 4: Data Exfiltration
This is where operational outcomes diverge. DragonForce exfiltrates data through:

• Command-and-control channels that bypass email/web monitoring
• Tools like rclone, wget, and FTP that DLP doesn’t see
• Application-to-application data flows are invisible to conventional security

These are .exe files. Desktop application processes transmit data. The 80% that DLP completely misses.

Your email DLP monitors Outlook messages. Your web gateway monitors browser uploads. But when PowerShell transmits financial data to an attacker-controlled server? When rclone uploads your CRM database to unauthorised cloud storage? When legitimate remote access tools are abused to exfiltrate intellectual property?

DLP sees none of it. Because it wasn’t designed to monitor desktop application data flows.

This is why M&S shut down for weeks while Harrods maintained operations.

During security incidents, you need to answer three immediate questions:

1. Which applications transmitted data during the compromise?
2. Where did that data actually go?
3. Was it legitimate business traffic or theft?

DLP can’t answer these questions. Not because it’s badly designed, but because it operates beyond DLP’s scope. ZORB complements endpoint protection and DLP by filling the application data gap they were never designed to address.

Your EDR works with ZORB to provide defence-in-depth: EDR defends the device from malware execution, DLP monitors email and web content, and ZORB prevents application data theft. Three layers, no overlap, complete coverage.

DLP does what it was built to do brilliantly: prevent accidental data loss via email and web traffic. But it was never meant to detect deliberate theft via desktop application processes during active security incidents.

Word documents with strategic plans. Excel spreadsheets with financial models. CRM data with customer intelligence. Finance applications with proprietary information. HR systems with employee records.

Business-critical application data lives outside the 20% that email and web DLP monitors. When attackers breach your perimeter, this unmonitored 80% is what they target. And without visibility into these application data flows, you have no confidence about what’s at risk during incidents.

No confidence means no strategic decisions. No strategic decisions means a wholesale shutdown. A wholesale shutdown meant M&S’s outcome: weeks offline, supply chain disruption, empty shelves, and customer defection.

When you have process-to-destination visibility, i.e. knowing which application process transmitted what data to which destination IP address, everything changes during security incidents.

This is real-time prevention without user intervention. Automated data protection that blocks unauthorised transmissions before they leave the device. No alert fatigue. No human decision-making during the chaos of an active incident. Just immediate prevention of application data theft the moment it’s attempted.

Not prevention theatre promising perfect security. These are still attacks that bypass your perimeter. But your operational response options expand dramatically during the incident itself.

Instead of: “We’ve been breached, shut down everything until we understand the scope”
You can say: “Finance system transmitted data to an unauthorised destination – we need to isolate that. Customer portal applications show no suspicious transmissions; let’s keep it running.”

Strategic triage. Selective shutdown of compromised systems. Maintained operations for confirmed-safe systems. Faster recovery because you can restart with confidence that critical data wasn’t stolen.

This is operational resilience during incidents. The capability that separated M&S’s extended shutdown from Harrods’ measured response.

Application data theft prevention gives you the data protection confidence to make these strategic decisions. Not prevention theatre that promises perfect security, yet determined attackers still get through. As the operational resilience foundation that changes your options when prevention eventually fails.

Because the costly truth nobody wants to admit: panic shutdowns often destroy more business value than the breaches themselves.

Most organisations discover they have an application data protection gap during an active security incident. When it’s too late to do anything except shut down and investigate.

IT Directors in retail, professional services, and financial services: don’t discover your gap during the next ransomware incident when a panic shutdown is your only option.

Ten devices. Ten days. We’ll show you what application data flows your current security stack isn’t monitoring.

Not theoretical threats. Actual unauthorised data transmissions from Word, Excel, CRM systems, and desktop applications in your environment. Applications querying DNS through ISPs instead of connecting directly to vendors. Data flowing to destinations your security team has never reviewed.

Evidence from your own infrastructure about the gap that determines whether you make M&S’s shutdown decision or Harrods’ strategic response.

Then you decide: fill the application data protection gap or accept the risk that your next security incident forces a panic shutdown because you lack data protection confidence.

Q. What made the outcomes different for these three retailers?
It wasn’t prevention quality, as all had enterprise security and still got breached. The difference was in data protection confidence during incidents. Co-op and Harrods could make strategic isolation decisions because they had visibility into what systems were at risk. M&S defaulted to wholesale shutdown because it lacked that confidence.

Q. Could M&S have kept some systems running during their incident?
Possibly. Customer-facing services that showed no suspicious application data transmissions could potentially have continued with controls. But without visibility into desktop application data flows, shutdown was the only defensible decision. When you don’t know what data is at risk, you can’t take the risk of staying operational.

Q. How does application data theft prevention help during ransomware attacks?
Ransomware gangs exfiltrate data before encrypting – that’s the “double extortion” model. They steal via desktop application processes that DLP doesn’t monitor: PowerShell scripts, remote access tools, file transfer utilities. Application data theft prevention blocks these exfiltration channels in real-time and provides immediate forensic visibility into which applications attempted transmission during the attack.

Q. What is the application data protection gap?
DLP monitors email and web traffic. This traffic is approximately 20% of business-critical data. The other 80% is desktop applications: Word documents, Excel spreadsheets, CRM data, finance systems, and HR platforms. When attackers breach your perimeter, they target this unmonitored application data. The gap is the lack of visibility into desktop application data flows during security incidents, which is why companies default to panic shutdowns instead of strategic responses.