The Cyber Monitoring Centre has categorised the disruption to retailers M&S and Co-op following the April 2025 cyber incident as a Category 2 systemic event.

In its first live public assessment of a cyber incident's financial impact in the UK, the CMC estimates the ransomware attack on the two retailers and associated parties cost somewhere between £270m and £440m.

The CMC analysed the event – which caused disruption to critical business functions and led to the exfiltration of customer data – in line with its mission to categorise systemic cyber incidents in the UK, and provide independent analysis to strengthen national cyber resilience.

Given that one threat actor claimed responsibility for both the M&S and Co-op attacks, along with the close timing and similar tactics, techniques and procedures, the CMC assessed the incidents as a single combined cyber event. It excluded a similar incident affecting Harrods and other UK retailers reported in April and May due to limited information about their cause and impact.

M&S suffered a far greater financial and operational impact due to its reliance on online sales, exclusive own-brand supply model and more complex distribution chain, according to the CMC’s Categorisation Statement. Co-op's impact, though notable, was less severe and more localised. M&S likely accounts for the majority of the losses.

The impact from the event was “narrow and deep”, with significant implications for two companies and knock-on effects for suppliers, partners and service providers. This contrasts with “shallow and broad” events such as last year’s CrowdStrike incident, where a large number of businesses were affected but the impact on any one company was smaller.

“We are yet to see a deep and broad category 4 or category 5 event impact the UK. Had there been further widespread disruption in the sector, the categorisation could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale,” the organisation stated.

Although both companies experienced business disruption, data loss and costs for incident response and IT rebuild, business interruption drives the vast majority of the financial impact. While most of the estimated disruption cost fell on the two companies, the analysis also considered wider impacts on suppliers, partners and other affected stakeholders.

Attribution is ongoing, but current indicators suggest the same threat actor targeted both M&S and Co-op using similar tactics. The initial access vector is believed to involve social engineering, with reports suggesting compromised credentials and potential abuse of IT help desk processes.

M&S reported an expected impact of approximately £300m for 2025/26 in its financial statements. The CMC estimates online sales losses of around £1.3m per day, adjusted downward after a partial early resumption. Consumer spending at M&S fell by 22% daily during the peak disruption, with online sales dropping to near zero and in-store sales falling by nearly 15%. M&S also faced significant supply chain challenges due to its own-label model – particularly in categories such as prepared food and meat, where suppliers could not easily re-route stock. This rigidity led to cash flow concerns among suppliers, although M&S reportedly took steps to support partners. The disruption of online shopping – a critical sales channel for the retailer – amplified the overall impact. While IT rebuild and legal costs were not itemised, the CMC described them as “significant”.

For Co-op, CMC estimates that daily consumer spend dropped by 11% in the first 30 days. No specific financial loss figure has been published, but the lower percentage drop and absence of online sales losses (Co-op operates primarily through physical retail) suggest a materially smaller financial impact than that of M&S. Particular emphasis was placed on supply chain fragility in rural areas such as the Scottish Highlands and Islands where Co-op may act as the sole food retailer. The company prioritised restocking these remote stores, highlighting both a service continuity challenge and a swift tactical response. Like M&S, Co-op incurred incident response, IT rebuild and legal costs though again no standalone figures were disclosed.

---