In April 2025, the United Kingdom’s retail sector faced a significant cybersecurity crisis when Marks & Spencer (M&S) and Co-op were targeted in sophisticated cyberattacks. These incidents have been classified as a single combined cyber event by the Cyber Monitoring Centre (CMC), an independent, non-profit organization established by the insurance industry to assess major cyber incidents. The CMC’s evaluation underscores the severity and interconnected nature of these breaches, estimating the financial impact to be between £270 million ($363 million) and £440 million ($592 million).
The Cyber Monitoring Centre’s Assessment
The CMC’s categorization of the attacks as a Category 2 systemic event highlights the profound implications for the affected companies and their extended networks, including suppliers, partners, and service providers. This classification is based on several factors:
– Unified Attribution: A single threat actor claimed responsibility for both attacks, suggesting a coordinated effort.
– Temporal Proximity: The breaches occurred in close succession, indicating a potentially orchestrated campaign.
– Similar Tactics, Techniques, and Procedures (TTPs): The methods employed in both incidents were strikingly similar, pointing to a common modus operandi.
While the CMC has not yet included the cyberattack on Harrods that occurred around the same time, citing insufficient information about its cause and impact, the focus remains on understanding and mitigating the effects of the M&S and Co-op breaches.
Scattered Spider: The Suspected Culprit
The cybercrime group known as Scattered Spider, also referred to as UNC3944, is believed to be behind these intrusions. This group is notorious for its advanced social engineering tactics, particularly impersonating IT department personnel to gain unauthorized access to corporate systems. Their operations have previously targeted major organizations, including telecommunications firms and business process outsourcing companies, aiming to infiltrate mobile carrier networks and perform SIM swapping attacks.
Modus Operandi of Scattered Spider
Scattered Spider’s approach is characterized by:
– Social Engineering: Utilizing phone calls, SMS, or messaging platforms like Telegram to impersonate IT staff and deceive employees into divulging credentials or installing remote monitoring and management (RMM) tools.
– Credential Theft: Directly engaging victims to obtain one-time passwords (OTPs) or employing MFA push-notification fatigue by sending repeated multi-factor authentication challenges until the victim complies.
– Persistence Mechanisms: Deploying legitimate RMM tools such as AnyDesk, LogMeIn, and ConnectWise Control to maintain access and evade detection by security systems.
– Targeting Cloud Environments: Demonstrating a deep understanding of platforms like Microsoft Azure, Google Workspace, and AWS to conduct reconnaissance and lateral movement within compromised networks.
Impact on Marks & Spencer and Co-op
The attacks on M&S and Co-op had far-reaching consequences:
– Operational Disruptions: M&S was compelled to shut down payment systems across over 1,000 stores in the UK, leading to the cancellation of thousands of online orders. Co-op faced similar operational challenges, affecting their ability to serve customers effectively.
– Financial Losses: The estimated financial impact, as assessed by the CMC, ranges from £270 million to £440 million, encompassing direct losses, remediation costs, and potential regulatory fines.
– Reputational Damage: Both retailers suffered significant reputational harm, eroding customer trust and potentially affecting future business prospects.
Broader Implications and Industry Response
The incidents involving M&S and Co-op are part of a broader trend of cyberattacks targeting the retail sector. In May 2025, other major UK retailers, including Harrods, were also struck by coordinated cyberattacks, with Scattered Spider quickly linked to these events. The group’s focus has expanded beyond retail, with recent reports indicating that they have begun targeting major insurance companies in the United States. This shift suggests a strategic move to sectors with access to sensitive personal and financial data.
Preventive Measures and Recommendations
In light of these developments, organizations across various sectors are urged to:
– Enhance Employee Training: Implement comprehensive training programs to educate staff about social engineering tactics and the importance of verifying requests for sensitive information.
– Strengthen Authentication Protocols: Adopt robust multi-factor authentication methods and monitor for unusual access patterns to detect potential breaches.
– Regular Security Audits: Conduct frequent security assessments to identify and remediate vulnerabilities within the organization’s infrastructure.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a cyberattack.
Conclusion
The cyberattacks on Marks & Spencer and Co-op serve as a stark reminder of the evolving threat landscape and the need for vigilance in cybersecurity practices. As threat actors like Scattered Spider continue to refine their tactics and expand their targets, organizations must proactively enhance their defenses to protect sensitive data and maintain operational integrity.
