New data shows that the cyberattacks on Marks & Spencer and the Co-op in April actually hit the retail sector really hard from a costs point of view. While the headlines focused on frozen payments and online outages, the real damage runs much deeper than just that.
The Cyber Monitoring Centre, which tracks large scale attacks in the UK, put the total financial toll at between £270 million and £440 million. This covers lost sales, IT repairs, legal fees, and other recovery costs.
M&S alone expects a hit of around £300 million this financial year, according to its May earnings report. Most of this comes from business interruption. M&S had to shut down all online orders for weeks. Some online services have returned, but fashion and beauty remain limited.
Data from Fable, which tracked customer spending during the attack, shows M&S daily sales dropped by 22%. In-store sales fell by 15%, and online shopping nearly flatlined. The Co-op saw daily spending drop by 11% in the first month.
What Exactly Went Wrong?
The CMC believes a single group targeted both retailers using similar tactics. Attackers likely got in through social engineering, possibly by tricking helpdesk staff or stealing login details.
Once inside, they caused enough damage to force both companies to shut parts of their systems. M&S couldn’t process contactless payments. Co-op had empty shelves. Customer data was also taken in both cases.
Suppliers felt the impact as well… M&S uses exclusive contracts and own-label products, which left partners stuck with stock they couldn’t send elsewhere. In more rural areas, where Co-op is sometimes the only shop available, service gaps caused added stress.
What About Other Stores?
We remember that Harrods was also hit in early May. It paused internal IT systems and store internet access but kept shops open. There was no sign of customer data loss.
Adidas had a breach in May involving a third-party customer service provider. No payments or passwords were leaked, but names and contact details were stolen. Their shops and online store kept running.
H&M experienced a short payment outage in June. Some say hackers caused it, but the company hasn’t confirmed anything. Stores returned to normal after a few hours.
More from Cybersecurity
- How To Keep Your Business Safe From Cyber Attacks
- INE Security Partners With Abadnet Institute For Cybersecurity Training Programmes in Saudi Arabia
- Don’t Let The Drop In Rnasomware Fool You, Here’s How Cyber Threats Are Evolving
- INE Security Alert: Top 5 Takeaways From RSAC 2025
- Experts Share: How Should Startups Protect Their Data In 2025?
- Co-op Cyber Attack: What Does It Mean For UK Retailers and Consumers?
- Experts Comment: 23andMe Bankruptcy – How To Protect Your Data
- European Cyber Report 2025: 137% More DDoS Attacks Than Last Year
Why Are Retailers Easy Targets, Especially Lately?
Retailers hold large amounts of customer data and rely heavily on online systems. That makes them attractive to attackers and vulnerable to outages.
M&S and Co-op’s experiences show how reliant these companies are on smooth IT operations. Just-in-time stock systems, limited warehouse space, and automated order flows mean that when systems crash, there’s no easy backup.
Retailers also depend on external support. The Adidas breach came through a third-party provider. The CMC mentioned as a warning, that service desks and outside vendors are common weak points.
Can Shops Recover From This?
Most of the money lost came from the breakdown of daily operations. The CMC calculated that for every day M&S’s online sales were down, it lost around £1.3 million. That figure already accounts for stock being resold later and some costs being avoided.
Insurance may help a bit, but retailers are being urged to test their crisis plans properly. That means practising manual order handling, stock control, and emergency communications. Without working systems, even basic shop functions become difficult.
The attacks have shown how one incident can ripple across multiple companies, suppliers, and even communities. The CMC says it’s still working through the data and wants retailers to learn from this and prepare better.
This was not the biggest attack the UK has ever seen in terms of reach, but it was the costliest so far. And if more than two companies had been hit in the same way, the figures could have gone much higher.
