M&S and Co-op Cyber Incidents Categorized as Unified Cyber Event

The recent cyber incidents involving UK retailers Marks & Spencer (M&S) and The Co-op have been officially classified as a single cyber event by the Cyber Monitoring Centre (CMC). This evaluation was based on several key factors.

Firstly, it is believed that a single threat actor was responsible for both attacks. Secondly, the timing of these incidents, both occurring around late April 2025, raises significant concern. Finally, the analysis revealed that the tactics, techniques, and procedures (TTPs) employed in both cases were notably similar.

Additionally, another UK retailer, Harrods, experienced an attack around the same time, which was also attributed to the same threat actor. However, due to insufficient information regarding the specifics of this attack, the CMC has not drawn a direct connection between Harrods’ incident and those of M&S and The Co-op.

The hacking group Scattered Spider has been widely identified as the perpetrator behind the attacks on M&S, The Co-op, and Harrods. The CMC remarked, “Attribution is ongoing, but current indicators suggest that the same threat actor targeted both M&S and Co-op using similar TTPs. The initial access vector likely involved social engineering, with reports indicating the use of compromised credentials and potentially the exploitation of IT helpdesk processes.”

Significant Financial Impact Estimation

The CMC has assessed the financial fallout from the incidents concerning M&S and The Co-op to be between £270 million and £440 million. This estimation was derived from available data and established modeling techniques that accounted for various costs, including lost sales for the two retailers and their respective suppliers and franchisees. Legal expenses, incident response efforts, and IT restoration costs were also considered.

Data analysis by Fable Data highlighted a 22% decrease in the average daily spend at M&S during the periods when online shopping was unavailable. Similarly, The Co-op experienced an 11% reduction in daily spend within the first 30 days following the event.

As a result of the economic repercussions, the CMC has categorized these incidents as a Category 2 systemic event, leveraging their established monitoring matrix. This rating reflects both the financial impact of the incident and the number of organizations affected. Categorized as “narrow and deep,” the incidents had a profound effect on M&S and The Co-op, along with a restricted number of suppliers and service providers.

In contrast, this categorization stands in contrast to the crowdsourcing outage experienced by numerous businesses across the economy in July 2024, where the individual impact was relatively lower.

The CMC noted that, to date, there has not been a “deep and broad” Category 4 or 5 incident observed within the UK. They added that any further widespread disruption within the sector could have warranted a higher classification, but since the impact remained confined to two specific retailers and their partners, it has been deemed less severe on the CMC’s scale.

The CMC continues to provide publicly accessible categorizations of cyber events, which are intended to enhance cyber mitigation strategies and response protocols in the industry.