The Scattered Spider/Dragonforce cyber attacks that struck Marks & Spencer and Co-op during the spring have been classed as a Category 2 cyber event on the UK Cyber Monitoring Centre’s (CMC’s) recently launched ‘hurricane scale’, with total costs likely to end up somewhere between £270m and £440m.
The CMC – an arm’s-length body set up by the insurance industry to assess the impact of cyber attacks on the UK and help organisations better manage their risk profiles, and backed by cyber experts including former NCSC lead Ciaran Martin – said that based on its incident categorisation matrix, the incident had had a “substantial financial impact” and resulted in “economic reverberations “across third-party suppliers, franchisees and supporting services”.
In their assessment, the CMC team described the impact from the event as “narrow and deep” with significant implications for both companies and knock-on effects spreading to their suppliers, partners and service providers. This is in stark contrast to a “shallow and broad” event like the CrowdStrike incident of July 2024, where a far larger number of businesses suffered but the impact to any one organisation was much less.
The CMC said that while it has yet to book a Category 4 or 5 event in the UK, had the disruption extended more widely across the retail sector, the attack campaign might have been ranked higher. In the event, of course, Scattered Spider’s campaign is known to have hit just two major retailers.
That said, the CMC did note a third attack on Harrods, and other retailers and retail-adjacent organisations reported to have experienced incidents in the past few months, but said it had to confine its analysis to the more widely reported M&S and Co-op incidents because there was a lack of information about the cause and impact of other events at the time.
CMC CEO Will Mayes told Computer Weekly: “This assessment provides, for the cyber and wider business community, a robust piece of analysis on the financial impact of a cyber event affecting two major retailers, which has been at the centre of a high volume of media attention.
“We’re hugely grateful to our Technical Committee for the depth of expertise and experience that they applied to analysing the implications of the incident.”
Financial costs
In arriving at its figure of £270m to £400m, the CMC has drawn on a range of public and commercial data sources, including its own modelling, and a figure of approximately £300m floated by M&S in May during its annual results call.
The CMC said its figure might have been higher based on statements made by M&S of an anticipated July restart date for online shopping. However, the fact that the retailer has since stood up some of its online shopping operations meant the CMC could pare back its estimates.
The total figure includes covering the costs of business interruption arising from lost sales opportunities, incident response and IT restoration costs, and legal and notification costs. It does not include any ransom payments as it is not known if any have been made.
Based on stats drawn from transactional data platform Fable Data, the CMC said that M&S saw a daily reduction in spend of 22% during the incident, with online sales dropping to essentially zero and in-store sales down 15% as the firm struggled to keep its Food Halls and other locations topped up. For Co-op, daily spend dropped by 11% during the first 30 days of the incident.
The CMC observed that M&S’ distinct own-label business model and a number of exclusive contracts with suppliers left it particularly vulnerable to supply chain effects, with suppliers struggling to reroute goods, particularly items relying on cold chain storage.
Turning to Co-op, the Fable data show daily spend dropped by 11% during the first 30 days of the incident. The CMC said that because Co-op is frequently the only bricks and mortar grocery chain in more isolated and remote parts of the country – particularly in the Highlands and Islands of Scotland – the incident demonstrated the broader social impacts of such cyber attacks.
“The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows. When systems fail, it is challenging to revert to manual processes,” said the team.
Preparing to fail
Looking into the future, the CMC said the Scattered Spider attacks had been an object lesson in preparedness for the retail sector, stressing the need to test business continuity and crisis response plans against ransomware attacks, including procedures for inventory management, and crisis communications.
As well as noting, naturally, the need for improved cyber hygiene and proper understanding of retailers’ exposure to third-party risk – likely how the M&S and Co-op incidents began – the CMC also said that retailers needed to consider that the costs of business interruptions can be extreme, and it is wise to ensure that capital, or adequate insurance protection, is available to cover cyber attacks.
This article was edited at 21:30 BST on Friday 20 June 2025 to incorporate additional information provided by the CMC.
