Profile
...
M&S and Co-op Cyberattack Could Cost Up to £440 Million
June 24, 2025 -
3 minutes, 47 seconds
M&S and Co-op Cyberattack Treated as Single Event, May Cost £440M
Understanding the M&S and Co-op Cyberattack
In early 2025, two of the UK’s major retailers—Marks and Spencer (M&S) and the Co-op—were struck by damaging cyberattacks. Now, the Cyber Monitoring Centre (CMC) has officially defined these incidents as a single, coordinated attack. According to the CMC, both breaches are being attributed to the same threat actor, Scattered Spider. The move to treat these attacks as one event is based on shared methods, close timing, and the attacker’s public claims. The estimated financial toll? A staggering £270 million to £440 million. If you’re wondering what this means for cybersecurity risk and liability in the retail sector, you’re not alone.
Why M&S and Co-op Are Being Treated as One Cyber Event
The CMC, an independent organization that tracks large-scale cyber events for insurance and security stakeholders, has confirmed it is treating the M&S and Co-op cyberattacks as a single “systemic event.” That’s because the same hacker group is believed to have orchestrated both breaches using similar tactics, techniques, and procedures (TTPs). The center categorized the incident as a "Category 2 systemic event"—meaning the impact is significant, but not yet economy-wide. The close timing and matching attack methods support the decision to link the two breaches under one banner.
The Financial and Operational Fallout of the Combined Attack
While both companies suffered massive data loss, IT damage, and operational disruption, it's the business downtime that has driven up the estimated costs. According to the CMC, the combined financial impact could hit as high as £440 million. The attack's consequences weren’t just limited to M&S and Co-op, either. Their suppliers, third-party service providers, and internal systems have all felt the ripple effects. In cybersecurity terms, this attack was “narrow and deep”—focusing on specific targets with severe consequences—unlike broad attacks like the 2024 CrowdStrike outage that affected many companies but with minimal individual damage.
What This Means for UK Businesses and Cyber Insurance
The fact that the M&S and Co-op cyberattack is being treated as a single event has huge implications for how insurance providers, regulators, and corporations prepare for future cyber risks. It emphasizes the growing sophistication of threat actors and the need for integrated, proactive cybersecurity strategies. Businesses must now consider how shared infrastructure or vendor exposure can lead to compounded risk—even across seemingly independent incidents. For consumers and companies alike, this high-profile breach is a reminder of the escalating stakes in the digital security landscape.
Related Posts
Photos
Contact Information
Suggested Writers
-
2.4K articles
-
1.3K articles
-
34 articles
-
28 articles








Comment