The Cyber Monitoring Centre (CMC) has classified the cyber attacks on the Co-op and Marks and Spencer as a Category 2 systemic event in its first live public assessment of the financial impact on the UK of a cyber incident.
The CMC – a non-profit organisation which aims to assess the severity of cyber incidents – estimates the total financial impact across affected parties at £270 million to £440 million, based on a matrix it used to classify events according to the financial impact and number of parties involved.
In April 2025, both UK retailers were affected by a ransomware incident that resulted in disruption to critical business functions and customer data exfiltration. Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and similar tactics, techniques, and procedures, the CMC has assessed the incidents as a single combined cyber event.
The CMC said the impact from the event is “narrow and deep,” as it had significant implications for the two companies as well as knock-on effects for suppliers, partners and service providers. This contrasts with a “shallow and broad” event like last year’s CrowdStrike incident, where a large number of businesses across the economy were affected, but the impact to any one company was far smaller.
Had there been further widespread disruption in the sector, the CMC said the categorisation could have been higher. However, because the impact was confined to two companies and their partners, the CMC judged it to be at the lower end of severity on the scale.
The CMC said it has not yet seen a deep and broad category 4 or category 5 event impact the UK. The organisation added that it noted the attack on Harrods, and acknowledged that other retailers and retail-adjacent organisations reported to have experienced incidents in the past few months. However, it said it had to confine its analysis to the more widely reported M&S and Co-op incidents because there was a lack of information about the cause and impact of other events at the time.
Attribution is ongoing, but current indicators suggest the same threat actor targeted both retailers using similar tactics. The initial access vector is believed to involve social engineering, with reports suggesting compromised credentials and potential abuse of IT helpdesk processes.
In terms of the financial cost, the CMC said that while both companies suffered business disruption, data loss, and costs for incident response and IT rebuild, business disruption accounted for the vast majority of the financial cost. The estimated impact includes direct business interruption costs from lost sales for M&S, Co-op, franchisees and suppliers, incident response and IT restoration costs, and legal and notification costs.
M&S described in its full-year results published on 21 May an expected impact of approximately £300 million for 2025/26, which would be reduced through management of costs, insurance and trading actions. The CMC’s assessment is independent of, although broadly consistent with, this estimate.
Using transaction data provided by technology company Fable Data, the CMC estimates that M&S lost around £1.3 million per day due to the lack of online sales. Daily spending dropped by around 22 per cent during the time that online shopping was unavailable, with online sales dropping to near zero and in-store sales down almost 15 per cent.
The CMC added that while initial reports focused on the failure of contactless payment methods, the true impact was significantly broader and driven primarily by the prolonged disruption to online sales and in-store stock shortages.
The Co-op saw an average fall in daily spend of 11 per cent in the first 30 days of the attack. In remote and rural areas, particularly the Highlands and Islands in Scotland, Co-op acts as a sole provider, meaning service disruption in these regions illustrated the broader societal impact cyber events can trigger through concentrated retail supply chains.
The event also highlighted retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows. M&S’s distinct own-label model and exclusive contracts meant it was harder for suppliers to re-route goods, particularly where packaging or safety regulations apply, such as with M&S prepared foods and meat.
The CMC has not included any ransom payments in its estimates as there is no evidence at this point that a ransom was paid or not paid. The analysis is based on available data and subject matter expert discussions up to and including 10 June, with assumptions made about how quickly both retailers will make a full recovery.
