CMC classifies M&S and Co-op attacks as single cyber event
20/06/2025 | Infosecurity Magazine
The Cyber Monitoring Centre (CMC) has publicly linked the recent cyberattacks on UK retailers Marks & Spencer and the Co-op, assessing them as a single, combined cyber event. The assessment is based on the likelihood of one threat actor (widely attributed to Scattered Spider), the close timing of the incidents in late April 2025, and similar tactics, techniques, and procedures (TTPs) used in both attacks, believed to involve social engineering and compromised credentials.
The CMC estimates the total financial impact of these incidents at £270 million to £440 million, which is made up of lost sales for the retailers, their franchisees, and suppliers, as well as incident response, IT restoration, legal, and notification costs.
Due to this significant economic impact, the CMC categorised the event as a Category 2 systemic event on its monitoring matrix, signifying a "narrow and deep" impact primarily affecting these two companies and their limited number of partners, rather than widespread sector disruption.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 6,250 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.