Introduction
In April 2025 [3] [7] [9], UK retailers Marks & Spencer (M&S) and The Co-op were subjected to a series of sophisticated cyberattacks, significantly impacting their operations and highlighting vulnerabilities within the retail sector. These incidents underscore the critical need for robust cybersecurity measures and effective crisis response strategies.
Description
In April 2025 [3] [7] [9], UK retailers Marks & Spencer (M&S) and The Co-op were targeted by a series of sophisticated cyberattacks, identified as a “single combined cyber event” by the Cyber Monitoring Centre (CMC) [7]. This included a significant ransomware incident attributed to the Scattered Spider group during the busy Easter weekend [6]. The attack severely disrupted critical business functions, leading to substantial revenue losses, empty shelves [4] [6], and the exfiltration of customer data [9], including addresses [2] [6], phone numbers [2], and dates of birth [2], although no passwords or payment details were compromised [2]. M&S was forced to shut down its e-commerce operations for several weeks [2], with an estimated financial impact of approximately £300 million in operating profit for the 2025/26 financial year. The CMC classified the incident as a Category 2 systemic event on its ‘hurricane scale,’ based on the likelihood that a single threat actor was responsible for both attacks, the close timing of the incidents disclosed in late April [3], and the use of similar tactics [3], techniques [3], and procedures (TTPs) in both attacks [3].
M&S’s unique own-label business model and exclusive supplier contracts made it particularly susceptible to supply chain disruptions [5], while Co-op’s role as a primary grocery provider in remote areas highlighted the broader social impacts of such cyberattacks [5]. M&S chief executive Stuart Machin attributed the attack to “human error” involving a third-party contractor [2], although it remains unclear if Tata Consultancy Services (TCS), M&S’s principal technology partner [2], was the entry point for the attack. TCS [2] [8], which has been working with M&S for over a decade and secured a $1 billion contract in 2023 to enhance the retailer’s supply chain systems and digital sales [8], confirmed that none of its systems or users were compromised during the incident [2]. Despite launching an internal investigation to determine if its systems were exploited [8], TCS has confirmed that no breach occurred within its infrastructure [8]. The Co-op responded to the attack by shutting down parts of its IT infrastructure, and following the incident [4], it launched a “thank you” discount for loyalty scheme members [4], offering 25% off a £40 shop for one week starting June 18 [4]. Harrods also reported similar security breaches [6], indicating a possible coordinated campaign exploiting common vulnerabilities [6].
The incident had a notable effect on consumer sales, with M&S reporting a 22% reduction in average daily spend during the period when online shopping was unavailable [9], alongside a nearly 15% drop in in-store sales [9]. Co-op experienced an 11% average fall in daily spend in the first 30 days of the event [9], although its 2,300 food stores have since returned to normal operations [4]. These developments underscore the necessity of stress-testing business continuity and crisis response plans for ransomware attacks [9], emphasizing the vulnerabilities in the retail sector related to just-in-time stock systems and high dependency on IT-driven order flows [5]. The CMC stressed the importance of preparedness for the retail sector [5], advocating for improved cyber hygiene and understanding exposure to third-party risks to mitigate the challenges of reverting to manual processes when systems fail.
In response to the growing threat, the UK National Cyber Security Centre (NCSC) is coordinating efforts to contain the damage and investigate the attacks [6], working closely with security teams from the affected retailers [6]. The NCSC has issued updated guidance to all retailers [6], emphasizing the sector-wide threat posed by these incidents and the critical need for information sharing among the NCSC, the Information Commissioner’s Office (ICO) [6], and law enforcement to establish a unified response [6]. Industry experts stress the importance of adopting a proactive approach to cybersecurity, as modern attacks often involve extensive reconnaissance before the main assault [6], serving as a critical reminder that security must be prioritized to protect operations and maintain consumer trust [6].
M&S has been noted for its proactive communication during the recent incident [1], utilizing various channels to keep stakeholders informed and manage public perception [1]. Regular updates on the impact of the attack and guidance for the public can help maintain trust and mitigate reputational damage [1]. M&S managing director John Lyttle announced the reopening of the website and the gradual addition of more products [4], along with the resumption of deliveries to Northern Ireland and Click and Collect services [4]. M&S anticipates restoring all online functionality by July [8], while organizations across the sector are urged to implement robust cybersecurity measures and crisis response plans, including communication strategies and technical responses [1], prepared in advance of any incidents [1].
Conclusion
The cyberattacks on M&S and The Co-op in April 2025 have had significant operational and financial impacts, highlighting the vulnerabilities within the retail sector. These incidents emphasize the importance of robust cybersecurity measures, effective crisis response strategies, and proactive communication to mitigate risks and maintain consumer trust. As the retail industry continues to face evolving cyber threats, it is imperative for organizations to prioritize cybersecurity and collaborate with relevant authorities to enhance their resilience against future attacks.
References
[1] https://www.openaccessgovernment.org/what-cyber-lessons-can-the-public-sector-learn-from-the-recent-ms-hack/194265/
[2] https://www.retailgazette.co.uk/blog/2025/06/ms-cyber-attack-deepens/
[3] https://www.infosecurity-magazine.com/news/ms-coop-hacks-single-event/
[4] https://www.mirror.co.uk/money/co-op-issues-new-thank-35406403
[5] https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts
[6] https://www.techradar.com/pro/i-am-a-cybersecurity-expert-and-i-predict-uk-retailers-face-a-brutal-summer-of-coordinated-attacks-heres-why
[7] https://ciso2ciso.com/scattered-spider-behind-cyberattacks-on-ms-and-co-op-causing-up-to-592m-in-damages-sourcethehackernews-com/
[8] https://www.grocerygazette.co.uk/2025/06/20/tcs-denies-role-ms-cyberattack/
[9] https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/
