Marks & Spencer and Co-op Ransomware Attack Costs Up to £440 Million – Report

Estimated reading time: 5 minutes

In a first-of-its-kind public financial impact report, the UK’s Cyber Monitoring Centre (CMC) has classified the April 2025 ransomware attacks on Marks & Spencer and Co-op as a Category 2 systemic cyber event. The CMC estimates that the combined financial damage from the retail cyberattack ranges from £270 million to £440 million.

The Cyber Monitoring Centre

The Cyber Monitoring Centre is a non-profit organization that independently analyses and classifies cyber incidents impacting UK organizations. Its five-level event scale, designed by a committee of leading cybersecurity experts, rates incidents based on the depth and breadth of their economic and operational impact.

This ransomware attack marks the CMC’s first live public assessment of financial costs from a systemic cyber event in the UK retail sector.

Why This Event Earned a Category 2 Rating

The CMC rated the ransomware strike a Category 2 event. This reflects the “narrow but deep” disruption to both Marks & Spencer and Co-op, as well as to their suppliers and service partners.

The event caused significant financial damage but remained confined to the two firms and their networks. A more widespread impact across the retail sector would have triggered a higher category.

Attack Overview

In April 2025, M&S and Co-op were hit by ransomware within days of each other. The attack disrupted online and in-store operations and led to customer data exfiltration.

The CMC determined that a single threat actor likely executed both attacks based on shared tactics, techniques, and procedures. Other retail incidents reported during the same period were excluded due to limited data.

The Cyber Monitoring Matrix Showing the Positioning of this Event 

The Cyber Monitoring Centre’s Role

The Cyber Monitoring Centre collects and analyses cyber incident data across the UK. Its technical committee, chaired by Ciaran Martin, includes industry experts who apply a Cyber Monitoring Matrix to assess and classify events.

Reports are shared free of charge to help businesses improve cyber risk awareness, resilience, and response planning.

Estimated Financial Impact: £270 Million to £440 Million

The total estimated cost to affected parties ranges from £270 million to £440 million. The CMC based its model on public and proprietary data, including Fable Data, which tracked consumer spending during the attacks.

The losses include:

• Lost sales at M&S, Co-op, franchisees, and suppliers
• IT rebuild and recovery costs
• Legal and notification expenses

Marks & Spencer alone cited an expected £300 million impact in their May 2025 earnings report.

How the Attacks Disrupted Retail

Marks & Spencer saw online sales fall to nearly zero during the attack, with in-store sales dropping 15%.

The retailer lost an estimated £1.3 million in daily online revenue during the peak disruption. Some online services returned ahead of expectations, limiting the overall impact.

At Co-op, daily sales fell by 11% in the first 30 days. Co-op prioritized stock deliveries to its rural stores, especially in areas where it serves as the sole retail provider.

Supply Chain Effects

M&S suppliers struggled to redirect goods due to strict labeling and safety standards for own-label products. Some reported cash flow strains, though M&S provided partner support. The event exposed concentration risks in supply chains, especially in regions with limited alternative retailers.

Cyber Hygiene Weaknesses Exposed

Initial investigations suggest attackers gained access through social engineering and compromised credentials. Abuse of IT helpdesk processes further enabled the breach. This highlighted weaknesses in access and identity management, as well as vendor cyber hygiene.

Retail Sector Vulnerabilities

The attacks revealed sector-wide weaknesses:

• Over-reliance on real-time inventory systems
• Limited manual fallback processes
• High dependency on IT-driven order and sales systems

These vulnerabilities made it hard for M&S and Co-op to continue operations manually.

What the CMC Recommends

To strengthen resilience, the CMC recommends:

• Stress-testing business continuity and crisis communications plans
• Ensuring financial flexibility to absorb IT recovery costs
• Improving cyber hygiene for third-party vendors and IT helpdesks
• Hardening access controls to limit risks of social engineering

Why This Report Matters

This is the first time the Cyber Monitoring Centre has published a live public assessment of the financial costs of a UK cyber event. The Category 2 rating signals a substantial but contained disruption. No event in the UK has yet reached the Category 4 or 5 levels, reserved for deep and broad economic crises.

A Call to Action for Retailers

This attack serves as a warning to UK retailers. The CMC urges the sector to learn from the lessons of Marks & Spencer and Co-op in strengthening their cyber defenses. Future ransomware events could easily escalate if not contained.

Looking Ahead

The Cyber Monitoring Centre plans to refine its models and collaborate further with industry, insurers, and government. Its mission is to reduce the risk and impact of future systemic cyber threats.

RELATED NEWS

• Cyber Insurance Premiums to Increase after Marks & Spencer Cyber Attack?
• Cyber Monitoring Centre Launches UK Cyber Event Classification System
• Marks & Spencer Hack Could Cost $400 million; CEO “In Shock”
• Cyber Monitoring Centre and British Chambers of Commerce join forces to analyze cyber incidents
• 97% Used to Be a Good Grade—But Not for Retailers Facing Data Breaches