A Wake-Up Call for Retail
In May 2025, both M&S and Co-op were hit with ransomware attacks that brought parts of their operations to a standstill. M&S suspended online shopping for weeks, and Co-op had to take systems offline while facing ransom demands over stolen customer and employee data. Millions of pounds in revenue were lost, and consumer trust has taken a serious hit.
The suspected culprits? A group known as Scattered Spider—young hackers coordinating through Discord and Telegram, using tools like DragonForce to gain access through social engineering and poorly secured internal systems.
Security Failures Are Platform Failures
From a platform engineering standpoint, these breaches represent more than just lapses in endpoint protection. They reveal a lack of defence-in-depth and insufficient adoption of policy-based security controls.
In a cloud-native world, where containers, microservices, and ephemeral workloads dominate, security needs to be enforced automatically and declaratively—not manually.
Policy-Based Security: Your First Line of Defence
One of the most powerful tools for securing Kubernetes-based platforms is OPA Gatekeeper—a policy engine that validates every Kubernetes resource against defined security rules before it gets deployed.
With Gatekeeper, platform teams can enforce policies such as:
No deployments with
hostNetwork: trueAll images must come from approved registries
Secrets must be mounted via sealed or encrypted volumes
RBAC permissions must follow least-privilege access
This isn’t theoretical. These kinds of policies could have helped prevent or mitigate the access paths likely exploited in the M&S and Co-op incidents.
What Platform Engineering Must Do Differently
Platform engineering is about building scalable, secure, and resilient systems—but it must now take ownership of security alongside reliability and performance.
Here’s what modern platform teams should adopt:
1. Automate Guardrails
Shift security left by integrating tools like Gatekeeper and Kyverno into CI/CD pipelines.
2. Harden Identity & Access
Implement fine-grained RBAC, use short-lived credentials, and enable multi-factor authentication for all access points.
3. Secure the Software Supply Chain
Use tools like Sigstore to sign and verify images, and adopt SLSA levels to harden build processes.
4. Enforce Immutable Infrastructure
Use GitOps tools like Argo CD to ensure infrastructure is declarative, auditable, and revertible in the face of compromise.
Retail Can’t Afford to Treat Cybersecurity as an Afterthought
Cybersecurity is no longer an IT concern—it’s a board-level issue. Yet many retailers are still running on fragmented, legacy platforms with little investment in resilience-by-design. As a result, their platforms are wide open to ransomware, phishing, and supply chain compromise.
Platform engineering is the missing link between infrastructure and security. It’s time for engineering teams to stop relying solely on security teams, and instead bake protection into the platform itself.
Checklist: A Secure Platform Engineering Mindset
| Area | Action |
|---|---|
| Policy Enforcement | Use OPA Gatekeeper for Kubernetes governance |
| Access Control | Replace static credentials with identity-based access |
| CI/CD Pipelines | Integrate security scanning and policy checks |
| Secrets Management | Centralise with Vault or cloud-native KMS |
| Observability | Detect anomalies with eBPF/Falco-based monitoring |
| Recovery Preparedness | Test disaster recovery and incident response regularly |
Final Thoughts
The breaches at M&S and Co-op are not outliers—they’re warnings. Cyber threats are growing faster than many organisations can adapt. The answer isn’t just better security tools. It’s a culture of platform security: policy-driven, automation-first, and built into the very infrastructure your business runs on.
At Mesoform, we help companies modernise their platforms with security-first engineering practices, including OPA Gatekeeper implementation, policy-as-code adoption, and secure platform design from the ground up.
Don’t wait for your organisation to make the headlines. Get in touch today and find out how policy-based platform engineering can protect your future.
