Retail Cyberattacks Cost M&S and Co-op Up to £440M in Losses

Retail cyberattacks disrupt major UK store operations as Scattered Spider group targets customer service vulnerabilities

Three Key Facts

• £270M-£440M combined losses estimated from cyberattacks on Marks & Spencer and Co-op, with M&S forecasting £300M impact by 2025/26
• Single coordinated attack by Scattered Spider group targeting both retailers in April using social engineering tactics against IT help desks
• Business disruption drives costs with M&S losing £1.3M daily in online sales and consumer spending dropping 22% at M&S, 11% at Co-op

Introduction

The Cyber Monitoring Centre has classified the recent cyberattacks against Marks & Spencer and Co-op as a single Category 2 event, marking one of the most significant retail cyber incidents in recent years. The independent industry body estimates combined losses between £270M and £440M from attacks that disrupted both retailers’ operations in April.

The CMC determined that threat group Scattered Spider orchestrated both attacks using similar tactics and timing. The classification treats the incidents as one coordinated event rather than separate breaches, reflecting the sophisticated nature of modern ransomware operations targeting major retailers.

Key Developments

The attacks began with M&S being compromised on April 22, followed by Co-op shortly after. Both companies faced social engineering attacks targeting their IT help desks, allowing hackers to gain initial access to critical systems.

DragonForce initially claimed responsibility for the Co-op attack in early May, providing evidence to the BBC including screenshots of extortion messages sent to Co-op’s cyber chief via Microsoft Teams on April 25. The group later admitted to targeting M&S and attempting to hack Harrods, accessing internal communications and leaking staff credentials.

Co-op was forced to shut down parts of its IT systems on April 30 to contain the breach. The company initially stated no customer data was compromised but later confirmed that information belonging to current and past members had been accessed. M&S suspended online ordering temporarily, with the company describing the attack as “highly sophisticated and targeted.”

Market Impact

The immediate financial impact proves substantial across both retailers. M&S suffered online sales losses of £1.3 million per day before limited service resumed, while consumer spending dropped 22% at M&S and 11% at Co-op during the disruption period.

The attacks particularly affected rural communities dependent on Co-op services, highlighting the broader societal impact beyond direct financial losses. M&S shares reflected investor concerns about the long-term costs of system rebuilds and reputation management.

The CMC categorizes this as a “narrow and deep” systemic event, meaning severe impact on the affected firms and their partners rather than widespread sector disruption. This contrasts with “shallow and broad” events like the 2024 CrowdStrike incident that affected numerous businesses with smaller individual impacts.

Strategic Insights

The attacks expose critical vulnerabilities in retail supply chain IT and vendor management systems. Both companies accelerated existing technology strategies in response, with M&S compressing a planned two-year digital transformation into six months.

The incident demonstrates how business disruption costs now exceed direct IT damage in major cyberattacks. Most estimated losses stem from operational interruption, lost sales, supply chain delays, and system reconstruction rather than data theft or ransom payments.

The coordinated nature of the attacks signals the growing sophistication of ransomware-as-a-service groups. These operations target multiple entities simultaneously, maximizing disruption and financial impact while spreading resources thin for defense and recovery efforts.

Expert Opinions and Data

M&S CEO Stuart Machin justified the proactive system shutdowns as essential to protect customers and partners, describing the attack as requiring immediate containment measures. The company accessed internal communications, leaked staff credentials, and compromised 10,000 customer records including membership details and personal information.

John Hultquist, Chief Analyst at Google Threat Intelligence Group, warns that Scattered Spider actors have begun targeting major US insurance companies. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” Hultquist said.

The CMC emphasizes that most disruption costs affected the two primary companies, though their analysis estimates wider costs to partners and suppliers. According to Security Affairs, the threat actors provided evidence of the data breach through screenshots and direct communication with targeted executives.

Tata Consultancy Services disclosed that its systems were not compromised despite earlier speculation about potential involvement as a launch point for the M&S attack. The Financial Times previously reported TCS was conducting internal investigations regarding possible system compromise.

Conclusion

The M&S and Co-op cyberattacks represent a watershed moment for retail cybersecurity, demonstrating how coordinated threats can generate hundreds of millions in losses through operational disruption. The incidents highlight the critical importance of robust crisis communication, rapid system containment, and accelerated digital transformation in response to evolving threats.

Both companies have committed to strengthening cyber defenses and completing technology upgrades ahead of schedule. The attacks serve as a stark reminder that sophisticated threat actors increasingly target multiple entities simultaneously, requiring retailers to reassess their entire supply chain security posture and crisis response capabilities.