{
	"id": "80b8be5f-457f-4eee-8937-10879d1ed4f7",
	"created_at": "2026-04-06T00:15:34.767278Z",
	"updated_at": "2026-04-10T03:20:16.54258Z",
	"deleted_at": null,
	"sha1_hash": "7f4e7809262c4b22f13afb78b7d68034735017f4",
	"title": "Cyber Monitoring Centre Statement on Ransomware Incidents in the Retail Sector – June 2025 – CMC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 159711,
	"plain_text": "Cyber Monitoring Centre Statement on Ransomware Incidents in\r\nthe Retail Sector – June 2025 – CMC\r\nArchived: 2026-04-02 10:43:59 UTC\r\nThe Cyber Monitoring Centre (CMC), in its first live public assessment of the financial impact on the UK of a\r\ncyber incident, categorises the disruption of retailers M\u0026S and Co-op as a Category 2 systemic event. The CMC\r\nestimates the total financial impact across affected parties at £270 million to £440 million. \r\nIn April 2025, UK retailers Marks \u0026 Spencer (M\u0026S) and Co-op were both affected by a cyber ransomware\r\nincident that resulted in disruption to critical business functions, and in which customer data was exfiltrated1\r\nThe Cyber Monitoring Centre (CMC) has analysed the event in line with its mission to categorise systemic cyber\r\nincidents in the UK and provide independent, considered analysis that can be used to increase the UK’s cyber\r\nresilience. \r\nGiven that one threat actor claimed responsibility for both M\u0026S and Co-op, the close timing, and the similar\r\ntactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event.  It\r\nhas not included an incident affecting UK retailer Harrods at a similar time, or other retailers also reported to have\r\nbeen impacted in April and May, given the low level of information about the cause and impact.\r\nThe CMC’s assessment includes an estimate of the financial impact of the event, insights into its implications, and\r\nrecommendations for future preparedness, to improve cyber mitigation and response plans. The CMC’s\r\nassessment and recommendations draw on data collected on the event’s impact, coupled with input from subject\r\nmatter experts and the collective experience and expertise of its Technical Committee, chaired by Ciaran Martin.\r\nThe CMC is constantly looking to improve its methodology and data, and is willing to discuss its findings –\r\nconfidentially – with any party with value to add to the assessment.\r\nEvent Overview and Categorisation\r\nThe CMC has classified this incident as a Category 2 systemic event based on the categorisation matrix as\r\ndefined in our methodology. This reflects its substantial financial impact and the economic reverberations across\r\nthird-party suppliers, franchisees, and supporting services. \r\nThe Cyber Monitoring Matrix Showing the Positioning of this Event \r\nhttps://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/\r\nPage 1 of 5\n\nThe impact from this event is “narrow and deep”, having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers. This contrasts with a “shallow and broad” event like last\r\nyear’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to\r\nany one company was far smaller. We are yet to see a deep and broad category 4 or category 5 event impact the\r\nUK. Had there been further widespread disruption in the sector, the categorisation could have been higher, but\r\nbecause the impact was confined to two companies and their partners, it is judged to be at the lower end of\r\nseverity on the CMC’s scale. \r\nAlthough both of the targeted companies suffered business disruption, data loss, and costs for incident response\r\nand IT rebuild, business disruption drives the vast majority of the financial cost. Most of the estimated disruption\r\ncost is faced by the two companies, but our analysis seeks to estimate the wider cost to partners, suppliers and\r\nothers. \r\nAttribution is ongoing, but current indicators suggest the same threat actor targeted M\u0026S and Co-op using similar\r\nTTPs. The initial access vector is believed to involve social engineering, with reports suggesting compromised\r\ncredentials and potential abuse of IT helpdesk processes.\r\nEstimated Financial Impact\r\nUsing available data and established modelling, the CMC estimates the total financial impact of the event across\r\naffected parties at £270 million – £440 million. This includes:\r\nhttps://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/\r\nPage 2 of 5\n\nDirect business interruption costs resulting from lost sales (the bulk of the cost) for M\u0026S, Co-op,\r\nfranchisees, and suppliers\r\nIncident response and IT restoration costs for M\u0026S and Co-op\r\nLegal and notification costs for M\u0026S and Co-op\r\nM\u0026S described in its full-year results published on 21 May an expected impact of the incident of “c.£300m for\r\n2025/26, which will be reduced through management of costs, insurance and trading actions”2 The CMC’s\r\nassessment is independent of, although broadly consistent with, this estimate.\r\nBased on the M\u0026S financial statement and comments made in late May, we originally anticipated an early July\r\nreturn of online shopping. The return of limited online sales (approximately a third of online fashion items and no\r\nhome and beauty products initially available) a month ahead of these assumptions, reduced our overall estimate of\r\nthe financial impact. Our model indicated that the financial impact of having no online sales was a loss to the\r\nbusiness of just over £1.3M per day – this is less than the total loss in turnover as it takes into account reductions\r\nin orders, stock that can be resold later, and not having to pay other variable costs. \r\nThe CMC’s estimates are based on public and commercial data sources including Fable Data, which provided a\r\nrepresentative sample of transaction-level consumer spending at M\u0026S and Co-op. We have not included any\r\nransom payments as there is no evidence at this point that a ransom was paid or not paid.\r\nKey Insights from the CMC Analysis\r\nConsumer sales impact (M\u0026S): For M\u0026S, Fable data shows a reduction in average daily spend of 22%\r\nduring the event for the period online shopping was unavailable, with online sales dropping to near\r\nzero and in-store sales down almost 15%. Early media reports focused on the failure of contactless\r\npayment methods, but the true impact was significantly broader and driven primarily by the prolonged\r\ndisruption to online sales and in-store stock shortages.\r\nConsumer sales impact (Co-op): For Co-op, Fable data shows an average fall in daily spend of 11% in\r\nthe first 30 days of the event.\r\nSupplier exposure: M\u0026S’s distinct own-label model and exclusive contracts mean that it is harder for\r\nsuppliers to re-route goods, particularly where packaging or safety regulations apply (e.g. M\u0026S prepared\r\nfoods and meat). Some suppliers expressed concern about cash flow, though M\u0026S has been described as\r\nproactive in supporting partners.\r\nConcentration risk in more remote areas: In remote and rural areas (e.g. the Highlands and Islands in\r\nScotland), Co-op acts as a sole provider. Service disruption in these regions illustrates the broader societal\r\nimpact cyber events can trigger through concentrated retail supply chains. Co-op are said to have\r\nprioritised supplying these stores.\r\nRetail operational fragility: The event underscores retail sector vulnerabilities tied to just-in-time stock\r\nsystems, lack of back-end storage, and high dependency on IT-driven order flows. When systems fail, it is\r\nchallenging to revert to manual processes.\r\nChallenges and Caveats\r\nThe analysis is based on the available data and subject-matter expert discussions up to and including 10\r\nJune. We have made assumptions about how quickly M\u0026S and Co-op will make a full recovery after this\r\nhttps://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/\r\nPage 3 of 5\n\ndate.\r\nAssumptions were made about the relationship between loss of revenue (captured in the Fable data) and the\r\nfinancial loss to M\u0026S and Co-op based on historical benchmarking and expert discussions. Both retailers\r\npublish high level financial information, but the detailed information that would be required to get a better\r\nunderstanding of the relationship between revenue and financial loss is not publicly disclosed. Given that\r\nbusiness interruption is the primary driver of the loss, our model is sensitive to these assumptions. \r\nIncident response and IT restorations costs, and legal and notification costs were benchmarked based on\r\nhistorical events and discussions with the Technical Committee. Individual estimates for these costs have\r\nnot been released by M\u0026S or Co-op. Out of these additional costs, the most significant is the cost to\r\nrebuild IT systems.\r\nRecommendations for Future Preparedness of the Retail Sector \r\nThe event illustrates the importance of:\r\nStress-testing business continuity and crisis response plans for ransomware attacks, including fallback\r\nprocedures for manual ordering and inventory control and the ability at least to partially restore key\r\nservices as quickly as possible. Alongside the exercising and testing of technical and operational\r\ncontingency processes and procedures, it is becoming increasingly important to test and validate crisis\r\ncommunications plans, to maintain confidence and trust across customers, suppliers, and, for listed\r\norganisations, shareholders. \r\nEnsuring financial stability and flexibility to survive large-scale operational disruption. Costs from\r\nbusiness interruption – and the costs of IT recovery – can quickly mount up and retailers, like all\r\nbusinesses, should run stress tests and make sure they have capital available or adequate insurance\r\nprotection to enable recovery.\r\nImproving cyber hygiene across service providers and the IT services supply chain, particularly IT\r\nsupport desks and third-party vendors. Retailers should test whether they understand their dependencies,\r\nand whether they can quantify their risks.\r\nThe paramount importance of access and identity management. Assuming reports of the nature of the\r\nbreaches are accurate, it demonstrates that internal privilege escalation controls are vital to reduce exposure\r\nto social engineering-based attacks.\r\nThe CMC’s analysis aims to provide transparency and support coordinated improvements in cyber resilience. This\r\nevent shows how even a contained cyber attack can ripple across sectors and geographies, affecting businesses,\r\ncustomers, and critical supply networks.\r\nWe will continue to work with industry, insurers, and government to learn from this event and help reduce the\r\nimpact of future systemic cyber threats.\r\nAbout the Cyber Monitoring Centre\r\nThe Cyber Monitoring Centre is an independent, non-profit organisation responsible for analysing and\r\ncategorising cyber events that impact UK organisations.\r\nhttps://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/\r\nPage 4 of 5\n\nEvents are categorised by an independent technical committee made up of leading cyber experts and based on\r\nanalyses of data from leading providers. Event categorisation and event reports are provided free of charge to any\r\ninterested organisations and individuals to help increase the understanding of the impact of cyber events and\r\nimprove cyber mitigation and response plans.\r\nFull details of the CMC’s methodology and categorisation matrix can be found here and full details of the CMC’s\r\nTechnical Committee can be found here.\r\nDisclaimer\r\nThe Cyber Monitoring Centre provides event categorisations free of charge that are publicly available to all. No\r\nliability is accepted for the use of, or reliance on event categories. Event categorisations are determined based on\r\nthe information available up to the date of the Technical Committee meeting. All reasonable endeavours are used\r\nto try to ensure accuracy of the information used in providing the event categorisation. However, the Cyber\r\nMonitoring Centre makes no representations or warranties of any kind, whether express or implied, as to the\r\ncompleteness, accuracy, reliability or suitability of the event categorisation or any supporting information, any of\r\nwhich may be subject to change without notice. The Cyber Monitoring Centre doesn’t release precise loss\r\nestimates, providing instead the loss estimate range. \r\n1\r\n https://corporate.marksandspencer.com/cyber-update\r\nhttps://www.co-operative.coop/media/news-releases/cyber-incident-update\r\n2\r\n https://corporate.marksandspencer.com/sites/marksandspencer/files/05-2025/fy25-rns.pdf\r\nSource: https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2\r\n025/\r\nhttps://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/"
	],
	"report_names": [
		"cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025"
	],
	"threat_actors": [],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f4e7809262c4b22f13afb78b7d68034735017f4.pdf",
		"text": "https://archive.orkl.eu/7f4e7809262c4b22f13afb78b7d68034735017f4.txt",
		"img": "https://archive.orkl.eu/7f4e7809262c4b22f13afb78b7d68034735017f4.jpg"
	}
}