The April 2025 cyberattacks on Marks & Spencer and Co-op have officially been classified as a single coordinated insurance incident, according to Cyber Monitoring Centre (CMC).
- The UK’s Cyber Monitoring Centre (CMC) is a non-profit organization launched in 2025 that categorizes the severity of cyber events impacting UK organizations.
- It aims to provide a consistent and objective framework for understanding the impact of these events, using a scale of one to five. The CMC is independent and its findings are freely available to the public.
The cyber attack vector exploited social engineering techniques targeting IT help desks, a known method used by the group believed to be behind the breach—Scattered Spider, also tracked as UNC3944.
This group operates as a faction within the broader cybercrime network known as The Com. English-speaking operatives impersonate internal IT staff to trick employees into handing over credentials or access (see How Does Cyber Security Hygiene Reduce the Risk of Cyberattacks?).
The impact from this event is “narrow and deep”, having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers.
This contrasts with a “shallow and broad” event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to any one company was far smaller.
We are yet to see a deep and broad category 4 or category 5 event impact the UK. Had there been further widespread disruption in the sector, the categorisation could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale.
- U.K. retailers Marks & Spencer (M&S) and Co‑op were hit by coordinated ransomware attacks, now officially recognized as a single combined cyber event by the Cyber Monitoring Centre (CMC)
- The CMC categorized the incident as a Category 2 systemic event due to its substantial economic and operational impact across both firms and their supplier networks
- Financial damage is estimated between £270 mn and £440 mn
- For M&S, online sales dropped to zero, triggering up to £1.3 mn loss per day. In-store spend also decreased by ~15%, contributing heavily to the total cost
- Co‑op saw an average daily spend decline of 11% in the first 30 days, and the disruption severely affected remote and rural regions where Co‑op serves as a critical retail provider
Cyber Monitoring Centre cited shared tactics, timing, and a single threat actor claiming responsibility for both breaches as grounds for treating the attacks as one event.
The organization labeled the incident a “Category 2 systemic event” and projected financial losses between £270 mn ($363 mn) and £440 mn ($592 mn).
The cyberattack on Harrods, which occurred around the same time, remains unclassified due to insufficient data on its origin and consequences. CMC noted that investigations are still ongoing.
“The effect is narrow in scope but severe, directly impacting two major companies while triggering disruption across their supply chains and third-party services,” CMC said in a statement.
Scattered Spider has recently expanded its focus. Google’s Threat Intelligence Group reported this week that the group is now actively targeting major insurance firms in the U.S., continuing its pattern of focusing on one sector at a time.
John Hultquist, Chief Analyst at GTIG, warned that insurers should brace for sophisticated social engineering attacks aimed at help desks and support lines.
While concerns over Iranian-linked cyber activity have dominated recent briefings, groups like Scattered Spider are already affecting high-value targets,” Hultquist said. “The risk is immediate and escalating.
John Hultquist, Chief Analyst at GTIG
Meanwhile, Tata Consultancy Services (TCS) said its infrastructure was not compromised during the Marks & Spencer attack. However, the company is conducting an internal investigation to determine if its systems were used as an access point.
For M&S, Fable data shows a reduction in average daily spend of 22% during the event for the period online shopping was unavailable, with online sales dropping to near zero and in-store sales down almost 15%.
Early media reports focused on the failure of contactless payment methods, but the true impact was significantly broader and driven primarily by the prolonged disruption to online sales and in-store stock shortages.
