Scattered Spider Linked to Cyberattacks on M&S and Co-op, Resulting in Significant Financial Losses
In April 2025, the U.K. retailers Marks & Spencer (M&S) and Co-op fell victim to a series of coordinated cyberattacks, now recognized as a “single combined cyber event” by the Cyber Monitoring Centre (CMC). This independent, non-profit organization, established by the insurance sector, evaluates significant cyber incidents to better inform stakeholders about vulnerabilities and risks in the digital landscape. The CMC’s assessment indicates a shared threat actor was responsible for both attacks, characterized by their synchronicity and the use of similar tactics, techniques, and procedures (TTPs).
The reported disruption to M&S and Co-op has been classified as a “Category 2 systemic event.” Financial projections from the CMC estimate that these breaches could inflict damages ranging from £270 million (approximately $363 million) to £440 million (around $592 million). The assessment underscores the substantial impact that such cyber events can have on retail operations, both in terms of direct financial loss and potential reputational damage.
While investigations into the incursions targeting M&S and Co-op have been ongoing, it is noteworthy that a separate cyber incident affecting Harrods during the same timeframe has not been included in this evaluation. The CMC cited insufficient information regarding the cause and nature of the Harrods attack, highlighting the complexities often involved in attributing cyber incidents.
Understanding the tactical methodologies employed in these types of attacks is crucial for business owners looking to fortify their cybersecurity postures. The MITRE ATT&CK framework serves as a valuable tool in this assessment. Tactics such as initial access, persistence, and privilege escalation may have played significant roles in the operational execution of these cyber events. For instance, an attacker could have gained initial access through techniques like phishing or exploiting software vulnerabilities, followed by establishing persistence within the network to maintain control over compromised systems.
The rapid evolution of cyber threats necessitates that organizations remain vigilant. The incidents involving M&S and Co-op exemplify how a determined adversary can synchronize efforts across multiple targets, underscoring the urgency for robust cybersecurity measures and incident response protocols. As retail companies increasingly integrate digital solutions into their operations, understanding the landscape of potential threats becomes imperative.
Consequently, business leaders should take these incidents as a catalyst to analyze their own cybersecurity frameworks. Implementing comprehensive risk assessments and leveraging advanced monitoring systems can provide greater insights into potential vulnerabilities. Moreover, collaboration with cybersecurity experts can further enhance organizational resilience against similar threats in the future.
In the face of evolving cyber threats, organizations must maintain a proactive stance. Understanding the implications of these attacks through frameworks like MITRE ATT&CK not only aids in recognizing current risks but also informs strategic planning to mitigate future incidents. As the retail sector grapples with an increasingly sophisticated adversary landscape, these lessons are vital for sustaining operational integrity and customer trust in a digital age.
