- Cyber Monitoring Centre says it is treating M&S and Co-op attacks as a single, combined event
- M&S was hit by a major cyberattack earlier in 2025, Co-op hit weeks after
- Cost of attacks could hit as high as £440 million, CMC estimates
The recent cyberattacks against Marks and Spencer (M&S) and the Co-op supermarket have been combined into a single incident by a major UK investigatory group.
The Cyber Monitoring Centre (CMC), an independent, non-profit body established to categorize major cyber events by the insurance industry, has declared it is treating the two incidents as one event by the same attacker - Scattered Spider.
"Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event," the CMC said.
Combined attack
The CMC says it has categorized the attacks as a "Category 2 systemic event," and estimated the security breaches will have a total financial impact of between £270 million to £440 million ($363 million to $592 million) on the two firms.
It added the effects of the attacks had been classified as "narrow and deep", with "significant implications" not only for the two retailers, but their suppliers, partners and service providers as well.
This definition is opposed to “shallow and broad” events such as the 2024 CrowdStrike incident, which affected a large number of businesses across the economy, but the impact to any one company was much smaller.
"Although both of the targeted companies suffered business disruption, data loss, and costs for incident response and IT rebuild, business disruption drives the vast majority of the financial cost," the CMC added.
"Most of the estimated disruption cost is faced by the two companies, but our analysis seeks to estimate the wider cost to partners, suppliers and others."
Despite happening around the same time, the CMC has said the cyberattack on Harrods, another major British retailer, will not been included at this stage, citing a lack of adequate information available about the cause and impact.
M&S was apparently hit by the attack on April 22, revealing news of the incident several days later. The Co-op revealed news of its event on April 30, saying it had been forced to take down parts of its IT systems in an attempt to mitigate the effects.
M&S has forecast the attack could cost it around £300 million in lost operating profit in its financial year.
M&S has not confirmed whether it has paid a ransom to the hackers, but did admit some customer data was stolen in the attack. This did not include any passwords or card or payment details, but home addresses, phone numbers and dates of birth may have been affected.
Anyone concerned their data may have been taken, we recommend using a dark web monitoring service, or using a breach monitor such as Have I Been Pwned to check for potential exposures.
Via InfoSecurity
You might also like
- Take a look at our picks for the best malware removal software around
- Check out our choice for best antivirus software
- Mystery of M&S hack deepens as TCS claims none of its systems were compromised
