The real bill from the M&S and Co-op attacks

· Carl Heaton · Security Commentary

A year on from the April 2025 attacks on Marks & Spencer and the Co-op, the numbers are no longer estimates. M&S's half-year results to September 2025 booked £101.6 million in direct costs from the incident, almost entirely offset by a £100 million insurance recovery, but with pre-tax profits collapsing from £391.9 million to £3.4 million in the same period. Fashion online sales fell 42.9% during the disruption. The Cyber Monitoring Centre, the insurance-backed body chaired by former NCSC director Ciaran Martin, has formally classified the M&S and Co-op events as a single Category 2 incident, with a combined cost between £270 million and £440 million.

That is the headline. The useful version is what an SME should take from it.

What actually happened

The Cyber Monitoring Centre's assessment, published in June 2025, attributed both attacks to the same threat actor: the loose collective known as Scattered Spider, working with the DragonForce ransomware operation. The initial access vector was social engineering. Not a zero-day, not a supply-chain compromise, not a sophisticated cryptographic break. A phone call or a help-desk interaction convincing enough to get past the controls on the day.

The "narrow and deep" framing the CMC chose is worth pausing on. Only two retailers were classified inside the event, but the disruption rippled through their suppliers, partners, and logistics providers for weeks. M&S could not take online orders for several months. Co-op took down internal systems and warned staff their communications might be monitored by the attacker. Empty shelves in stores were a symptom of the food supply chain stalling, not the attack hitting that supply chain directly.

The thing that scaled the damage was not how sophisticated the attack was. It was how interconnected everything downstream of it turned out to be.

What it cost, in plain numbers

For M&S specifically, as of their half-year results:

  • £82.7 million in incident response and recovery.
  • £18.9 million in third-party costs.
  • £100 million recovered through cyber insurance.
  • Pre-tax profit down from £391.9 million to £3.4 million.
  • Fashion division sales down 16.4%, online down 42.9%, stores down 3.4%.
  • Full-year EBIT impact estimated at around 7%.

The insurance recovery is the line item worth staring at. M&S had cover that paid out close to the direct response cost. Most SMEs do not. A 7% EBIT hit on a £13 billion business is survivable. The same proportional hit on a £5 million business is not.

What this means for smaller businesses

You are not M&S. You will not be a Cyber Monitoring Centre case study. But the mechanics that bit M&S bite SMEs harder, not softer.

  • Social engineering is the default entry route. Scattered Spider does not need to break your software. They need to convince one person, often a help-desk or IT contractor, that they are someone else for ten minutes. That control gap exists in almost every business.
  • Your supply chain is the blast radius. When M&S went offline, suppliers from logistics to packaging absorbed weeks of disruption with no contract clause covering it. If you supply a larger company, the next attack on them is your problem too. If you depend on larger suppliers, the next attack on them is also your problem.
  • Just-in-time inventory has no slack. M&S's food halls suffered from manual workarounds the moment the stock system was down. Most modern SMEs run lean inventory, lean cash, and lean payroll. Three days of disrupted operations is the difference between an annoying week and a closed business.
  • Recovery time is the metric that matters. Online sales did not return for months, not days. The cost is not the ransom or the ransom decision. It is every day after the first that you cannot trade.

What to actually do

The CMC's own recommended lessons land in roughly the right place. The SME version is shorter.

  • Phishing-resistant logins on the accounts that move money or change systems. Passkeys or hardware keys, not SMS codes. The reason is in our earlier piece on why the NCSC has put passkeys first and passwords second.
  • Help-desk and password-reset procedures that don't bend to a confident voice on a phone. Verification questions that require something the caller cannot have looked up on LinkedIn.
  • A tested recovery plan, not a written one. Restoring backups from cold storage. Re-issuing credentials. Standing up an isolated environment. If your team has never rehearsed it, the first time you'll learn how long it takes is during an incident.
  • A cyber insurance policy you have actually read. What is excluded, what triggers cover, what the insurer expects you to have done before they pay. Most SME policies have material exclusions that surprise people on the day.
  • A conversation with your three biggest suppliers and your three biggest customers about what happens if one of you is down for two weeks. The contract you sign now is cheaper than the lawyers you will hire later.

The kinder reading

M&S survived. Co-op survived. Both will keep trading, with insurance and balance-sheet depth most SMEs do not have. The attackers did not need a national-level capability to do this damage; they needed a phone, a script, and patience. That asymmetry is the part that should make every UK business uncomfortable. It is also why the controls that matter are not exotic. They are the basics, applied properly to the small number of accounts and processes that actually run the business.

How Steelwise can help

Working out which two or three of those basics would actually stop a Scattered-Spider-style attack on your business, and rehearsing the recovery before you need it, is the kind of work we do for clients. Get in touch.

Further reading

← All filings

We use cookies to understand how visitors use this site. More information.