Summary
The Cyber Monitoring Centre classified the April 2025 cyberattacks on Marks & Spencer and Co-op as a single Category 2 event. The attacks, attributed to the Scattered Spider group, resulted in significant financial losses and operational disruption for both retailers. This incident serves as a valuable lesson in cybersecurity preparedness and response for businesses of all sizes.
Dont let data threats slow you downTrueNAS offers enterprise-level protection.
** Main Story**
Retail Giants Reeling: M&S and Co-op Face Coordinated Cyberattack
In April 2025, two of the UK’s largest retailers, Marks & Spencer (M&S) and the Co-operative Group (Co-op), found themselves grappling with a significant cyberattack. The Cyber Monitoring Centre (CMC), an independent body backed by the insurance industry, has officially classified these incidents as a single, combined cyber event. The attacks are attributed to Scattered Spider, also known as UNC3944, and resulted in significant financial losses, operational disruption, and data breaches for both companies.
Unpacking the Incident: How Scattered Spider Struck
The CMC’s analysis concluded that both attacks were related based on three key factors: attribution to a single threat actor, the close timing of the incidents, and the similar tactics, techniques, and procedures (TTPs) employed by the attackers. The initial access vector is believed to involve social engineering, with reports suggesting compromised credentials and potential abuse of IT helpdesk processes.
At M&S, the attackers exfiltrated the NTDS.dit file from the company’s Active Directory, gaining access to usernames, group memberships, and password hashes. They then cracked the hashed passwords offline, escalating privileges and moving laterally across internal systems. Finally, they deployed DragonForce ransomware, encrypting critical VMware ESXi infrastructure and disrupting online orders, payments, and logistics.
The Co-op incident unfolded somewhat differently. Threat actors targeted the company through social engineering, impersonating employees and manipulating IT help desks into resetting passwords. This allowed them to gain unauthorized access across multiple systems and potentially compromise the personal data of approximately 20 million Co-op members.
Financial Fallout: A Heavy Price to Pay
The financial impact of these attacks is substantial. The CMC estimates the total cost to range from £270 million to £440 million, including lost sales, incident response and IT restoration, legal and notification costs, and the impact on franchisees, suppliers, and service providers. Consumer spending at M&S dropped by 22% during the period online shopping was unavailable, resulting in estimated daily losses of £1.3 million. The Co-op experienced an 11% fall in average daily spending during the first 30 days of the event.
A Category 2 Storm: Assessing the Severity
The CMC categorizes cyber events on a scale of 1 to 5, with 5 being the most severe. The M&S and Co-op incident has been classified as a Category 2 event, described as “narrow and deep.” This designation reflects the significant impact on the two retailers and a limited number of their partners, suppliers, and service providers. The CMC contrasts this with “shallow and broad” events, such as the 2024 CrowdStrike incident, where a larger number of businesses were affected, but the impact on individual organizations was less severe. The CMC notes that while it has yet to record a Category 4 or 5 event in the UK, the Scattered Spider campaign could have been ranked higher if the disruption had extended more widely across the retail sector.
Lessons Learned: Strengthening Cyber Resilience
The M&S and Co-op cyberattacks offer several crucial lessons for businesses:
- The Importance of Robust Cybersecurity Measures: Regular security assessments, vulnerability patching, strong access controls, and multi-factor authentication are crucial.
- Incident Response Planning: Having a well-defined incident response plan in place is vital for containing breaches, minimizing damage, and ensuring a swift recovery.
- Transparency and Communication: Open communication with customers, partners, and stakeholders is essential for maintaining trust and managing reputational damage.
- Supply Chain Security: The interconnected nature of modern business means that organizations must also consider the cybersecurity practices of their suppliers and partners.
- Employee Training and Awareness: Social engineering remains a potent attack vector, highlighting the need for continuous employee training and awareness programs.
The M&S and Co-op incident serves as a stark reminder of the ever-present threat of cyberattacks and the importance of proactive cybersecurity measures. As businesses become increasingly reliant on digital technologies, prioritizing cyber resilience is no longer optional; it’s a necessity for survival. The CMC’s categorization system and detailed analysis provide valuable insights that can help organizations better understand and manage their cyber risk profiles. As of June 24, 2025, the ongoing analysis of this incident continues to offer crucial lessons for businesses navigating the complex landscape of cybersecurity.
The focus on social engineering as an entry point highlights the critical need for ongoing and adaptive employee training. Simulated phishing exercises, coupled with clear reporting pathways, could significantly reduce vulnerability to these types of attacks.
Absolutely! The human element is often the weakest link, making adaptive training so crucial. Your point about simulated phishing exercises and clear reporting pathways is spot on. It’s not just about technology, but also about empowering employees to be the first line of defense. What strategies have you seen work well in fostering a security-conscious culture?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The financial impact detailed here underscores the importance of cyber insurance as part of a comprehensive risk management strategy. How are organizations adapting their insurance policies to reflect the evolving threat landscape and potential for significant business interruption?
That’s a great point! Cyber insurance is definitely becoming a more critical part of risk management. I’m hearing about organizations focusing on more granular policies that cover specific incident types and also include proactive services like threat intelligence and incident response support. It’s a really dynamic area.
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The financial fallout reported highlights the potential cascading effects of a successful attack. What strategies are organizations using to quantify the potential business interruption costs when assessing their overall cyber risk exposure?
That’s a critical question! Quantifying potential business interruption is a huge challenge. I’ve seen some organizations leveraging simulation models that incorporate revenue dependencies on critical systems and potential downtime scenarios. This helps them understand the ripple effects and prioritize investments in resilience. Interested to hear other approaches too!
Editor: StorageTech.News
Thank you to our Sponsor Esdebe