Cyberattacks on Marks & Spencer and Co-op: Estimated Financial Impact of £270M-£440M

TL;DR

The UK’s Cyber Monitoring Centre (CMC) has classified the recent cyberattacks on Marks & Spencer and Co-op as a Category 2 systemic event, estimating financial losses between £270 million and £440 million. These attacks, attributed to the DragonForce ransomware group, have exposed significant vulnerabilities in the retail sector, underscoring the need for enhanced cybersecurity measures and financial resilience.

The Financial Impact of Cyberattacks on Marks & Spencer and Co-op

The UK’s Cyber Monitoring Centre (CMC) has labeled the recent cyberattacks on Marks & Spencer and Co-op as a Category 2 systemic event, with estimated financial losses ranging from £270 million to £440 million. This classification highlights the significant economic impact and the need for enhanced cyber resilience within the retail sector.

Attack Overview and Initial Impact

In early May, the cyberattack on Co-op was claimed by a group known as DragonForce. The group informed the BBC that they had stolen data from the British retailer and provided evidence of the data breach. Initially, Co-op declared that there was no evidence of customer data being compromised. However, it was later confirmed that threat actors had accessed data belonging to current and past members, as reported by the BBC.

The DragonForce group also claimed responsibility for the attack on Marks & Spencer and attempted to hack Harrods. The attackers gained access to Co-op’s internal Microsoft Teams, leaked staff credentials, and exposed 10,000 customer records containing membership card numbers, names, home addresses, emails, and phone numbers. The BBC verified and subsequently destroyed the leaked data to prevent further misuse.

Detailed Analysis by the Cyber Monitoring Centre (CMC)

The CMC assessed the Marks & Spencer and Co-op cyberattacks as a single major incident due to shared timing, a common threat actor, and similar techniques, tactics, and procedures (TTPs). The attacks on Harrods and other retailers around the same time were not included in this assessment due to insufficient information.

The CMC report classifies these attacks as “narrow and deep,” indicating significant disruption to the targeted firms and ripple effects on their partners. The financial impact is primarily attributed to business disruption rather than IT damage, with Marks & Spencer alone anticipating a £300 million hit in 2025/26. Online sales losses reached £1.3 million per day before limited service resumed, and consumer spending dropped by 22% at Marks & Spencer and 11% at Co-op.

Estimated Financial Impact

The CMC estimates the total financial impact of the event across affected parties to be between £270 million and £440 million. This includes:

• Legal and notification costs for Marks & Spencer and Co-op.
• Direct business interruption costs resulting from lost sales for Marks & Spencer, Co-op, franchisees, and suppliers.
• Incident response and IT restoration costs for Marks & Spencer and Co-op.

The attacks exposed the fragility of the retail supply chain and IT infrastructure, highlighting the need for stress-testing crisis plans, ensuring financial resilience, and improving cyber hygiene across vendors. The CMC emphasizes the importance of clear crisis communication and strong recovery capabilities to mitigate the impact of such incidents.

Conclusion

The cyberattacks on Marks & Spencer and Co-op serve as a stark reminder of the vulnerabilities within the retail sector. The significant financial impact underscores the need for robust cybersecurity measures and financial resilience. By stress-testing crisis plans, improving cyber hygiene, and ensuring clear communication, retailers can better prepare for and mitigate the effects of future cyber threats.

For further insights, check:

• Cyber Monitoring Centre Statement on Ransomware Incidents in the Retail Sector
• BBC Report on Co-op Data Breach
• Security Affairs on Marks & Spencer Cyber Incident

References