High-profile cyber attacks which crippled M&S and Co-op have been watched closely by the cybersecurity industry, least of all because it shows that even the largest organisations can be badly affected by cyber attacks, and the fallout can be immense.
The attacks, which hit both major UK retailers in April 2025 – resulting in a loss of £300 million revenue for M&S and an estimated loss of multi-millions of pounds for Co-op, who have not confirmed official figures – has recently been claimed by the same ransomware group, Dragonforce.
In recent news, the BBC reported seeing a “gloating” email sent to M&S’s CEO Stuart Machin from Dragonforce, dated on the 23rd April, where speculation had revolved around attributing the attacks to Scattered Spider, a community that organises on online forums. The M&S has not confirmed if it has paid a ransom to the group.
Ransomware attacks are increasingly popular, and growing in number. It refers to a type of attack where, typically, a cyber attacker will gain access into a company’s systems – phishing emails are one means of doing so – decrypt data, and only encrypt it once a ransom has been paid.
Reports on the costs of these kinds of attacks are varied, but according to Cybersecurity Ventures, ransomware is projected to cost victims approximately $275 billion annually by 2031 – in other words, serious money.
How did the M&S and Co-op attacks come about?
The trouble started for M&S back in March 2025, where customers were reporting issues with contactless payments and click & collect services – initially put down as routine glitches. By April, the retailer had confirmed it was dealing with a cyber incident and in response, took key internal systems offline. By the 25th, online orders had been suspended to manage the breach, and pictures online of empty shelves put into startling clarity the impact of the cyber attacks.
For Co-op, it had reported a cyber attack affecting its back-office systems and call centres on the 30th April. It has advised staff to stop using VPNs and warned it that communication channels may be monitored as the attack continues. An estimated 20 million members’ information has been stolen by the group.
Both M&S and Co-op are currently working on addressing the damage wrought by the cyber attacks – but the financial loss and stolen customer data aren’t the only things to think about. The reputational damage of major cyber attacks cannot be underestimated.
“A lot of experts who are talking about the M&S breach are trying to tailor their talking points to a wider audience, arguing that the breach will lead to targeted phishing attacks against consumers,” said Adam Blake, CEO, ThreatSpike.
However, Blake said that these arguments didn’t accurately reflect the factors driving the attack. “What was the M&S attack really about? The power of optics. The main damage was to business continuity, wiping out M&S’ ability to take orders, and incurring massive reputational damage … The subsequent fallout will be severe. People will ask questions: why was everything so reliant on on-prem IT? Why was there no business continuity?”
The reputational damage has proven a big-enough incentive for major organisations like M&S to pay the ransom – and even if they don’t, the next organisation will, “not because of any legitimate data, but because nobody wants to be accused of not doing everything they possible could to protect customer data,” Blake concluded.
What can be done?
Industry experts weighing in had advice that stressed the importance of proactive cybersecurity – getting systems secure before attacks happen – rather than reactive, reflecting a shifting mindset in the cybersecurity industry that recognises the importance of not waiting for serious incidents to happen.
In relation to the Co-op attack, Scott Dawson, CEO of DECTA, said: “Retailers can no longer afford to treat resilience as optional as this becomes more of a trend. This incident, coming on the heels of major breaches at M&S and other high-profile targets, highlights how brittle legacy architectures and siloed security practices are, and no match for sophisticated threat actors.”
Dawson’s advice to businesses was to “move from reactive patchwork to proactive resilience engineering architected into every layer of IT strategy”.
“Firming up defences, educating staff, and understanding what the latest threats look like are all crucial steps for businesses to protect themselves and ensure resilience in the face of such an attack,” said AJ Thompson, CCO at Northdoor. “Some are turning to third-party consultants to help implement these within businesses. They can plug any gaps in internal teams as well as providing expertise to help keep data and systems safe.”
“Prevention must be built in from the ground up. Businesses need a multi-layered approach that combines hardware-level security to detect and block attacks early,” said Camellia Chan, CEO and Founder at X-PHY. “This should be combined with an AI-driven threat detection layer that automates detection and enforces policies in real time. With human-error contributing to 95% of data breaches, this removes the burden of constant vigilance from employees and constant resilience testing.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
