Tryfonov - stock.adobe.com

News

M&S, Co-op attacks a ‘Category 2 cyber hurricane’, say UK experts

The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from Scattered Spider attacks on M&S and Co-op

Alex Scroxton
By
Published: 20 Jun 2025 17:00

The Scattered Spider/Dragonforce cyber attacks that struck Marks & Spencer and Co-op during the spring have been classed as a Category 2 cyber event on the UK Cyber Monitoring Centre’s (CMC’s) recently launched ‘hurricane scale’, with total costs likely to end up somewhere between £270m and £440m.

The CMC – an arm’s-length body set up by the insurance industry to assess the impact of cyber attacks on the UK and help organisations better manage their risk profiles, and backed by cyber experts including former NCSC lead Ciaran Martin – said that based on its incident categorisation matrix, the incident had had a “substantial financial impact” and resulted in “economic reverberations “across third-party suppliers, franchisees and supporting services”.

“The impact from this event is ‘narrow and deep’, having significant implications for two companies, and knock-on effects for suppliers, partners and service providers,” the team wrote in their assessment.

“This contrasts with a ‘shallow and broad’ event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to any one company was far smaller.”

The CMC said that while it has yet to book a Category 4 or 5 event in the UK, had the disruption extended more widely across the retail sector, the attack campaign might have been higher. In the event, of course, Scattered Spider’s campaign is known to have just two major retailers.

That said, the CMC did note a third attack on Harrods, and other retailers and retail-adjacent organisations reported to have experienced incidents in the past few months, but said it had to confine its analysis to the more widely reported M&S and Co-op incidents because there was a lack of information about the cause and impact of other events at the time.

Financial costs

In arriving at its figure of £270m to £400m, the CMC has drawn on a range of public and commercial data sources, including a figure of approximately £300m floated by M&S in May during its annual results call, and its own modelling.

The CMC said its figure might have been higher based on statements made by M&S of an anticipated July restart date for online shopping. However, the fact that the retailer has since stood up some of its online shopping model meant the CMC could pare back its estimates.

The total figure includes covering the costs of business interruption arising from lost sales opportunities, incident response and IT restoration costs, and legal and notification costs. It does not include any ransom payments as it is not known if any have been made.

Based on stats drawn from transactional data platform Fable Data, the CMC said that M&S saw a daily reduction in spend of 22% during the incident, with online sales dropping to essentially zero and in-store sales down 15% as the firm struggled to keep its Food Halls and other locations topped up. For Co-op, daily spend dropped by 11% during the first 30 days of the incident.

The CMC observed that M&S’ distinct own-label business model and a number of exclusive contracts with suppliers left it particularly vulnerable to supply chain effects, with suppliers struggling to reroute goods, particularly items relying on cold chain storage.

Turning to Co-op, the Fable data show daily spend dropped by 11% during the first 30 days of the incident. The CMC said that because Co-op is frequently the only bricks and mortar grocery chain in more isolated and remote parts of the country – particularly in the Highlands and Islands of Scotland – the incident demonstrated the broader social impacts of such cyber attacks.

“The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows. When systems fail, it is challenging to revert to manual processes,” said the team.

Preparing to fail

Looking into the future, the CMC said the Scattered Spider attacks had been an object lesson in preparedness for the retail sector, stressing the need to test business continuity and crisis response plans against ransomware attacks, including procedures for inventory management, and crisis communications.

As well as noting, naturally, the need for improved cyber hygiene and proper understanding of retailers’ exposure to third-party risk – likely how the M&S and Co-op incidents began – the CMC also said that retailers needed to consider that the costs of business interruptions can be extreme, and it is wise to ensure that capital, or adequate insurance protection, is available to cover cyber attacks.

Timeline: Scattered Spider cyber attacks in 2025

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same Scattered Spider gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, the Scattered Spider cyber crime collective appears to be expanding its targeting to the insurance sector.

Read more on Data breach incident management and recovery