Pierluigi Paganini
June 23, 2025
The Cyber Monitoring Centre (CMC) has labeled the recent cyberattacks on Marks & Spencer and Co-op as a Category 2 systemic event, estimating losses between £270M and £440M.
In early May, the attackers behind the Co-op cyberattack, who go online with the name DragonForce, told the BBC that they had stolen data from the British retail and provided proof of the data breach.
Hackers shared screenshots with BBC of their first extortion message to Co-op’s cyber chief via Microsoft Teams on 25 April. They also called the head of security at the company around a week ago.
Initially, the company declared that there was “no evidence that customer data was compromised”.
However, the British consumer co-operative owned Co-op later confirmed that threat actors accessed data belonging to current and past members, BBC reported.
“The cyber criminals claim to have the private information of 20 million people who signed up to Co-op’s membership scheme, but the firm would not confirm that number.” reads the post published by BBC.
The DragonForce group also claimed the attack on M&S and told BBC that they have attempted to hack Harrods.
The threat actors accessed the company’s internal Teams, leaked staff credentials and 10,000 customer records containing Co-op membership card numbers, names, home addresses, emails, and phone numbers. BBC pointed out that after having verified data, they destroyed it.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” a spokesperson told BBC.
DragonForce ransomware group scrambles victims’ data and demands a ransom; they are also known to steal victims’ data. DragonForce runs a cybercrime affiliate service, letting affiliates use its tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, cybersecurity experts believe it is composed of English-speaking teenagers.
The Cyber Monitoring Centre (CMC) assessed the Marks & Spencer and Co-op cyberattacks as a single major incident due to shared timing, a common threat actor, and the same techniques, tactics and procedures used by threat actors. The attacks that hit Harrods and other retailers around the same time weren’t included, as too little is known about those cases. The CMC aims to use such analysis to strengthen the UK’s cyber resilience.
“The CMC has classified this incident as a Category 2 systemic event based on the categorisation matrix as defined in our methodology. This reflects its substantial financial impact and the economic reverberations across third-party suppliers, franchisees, and supporting services.” reads the report published by CMC.
The CMC labeled the M&S and Co-op attacks as “narrow and deep,” with major disruption to those firms and ripple effects on partners. Unlike “shallow and broad” events, the impact here was limited to a few but severe. Most costs came from business disruption, not just IT damage. Signs point to the same threat actor using social engineering and stolen credentials to breach both companies.
“Using available data and established modelling, the CMC estimates the total financial impact of the event across affected parties at £270 million – £440 million.” continues the report. “This includes:
The CMC estimates the M&S and Co-op cyberattack damage is mainly from business disruption. M&S alone expects a £300M hit in 2025/26. Online sales losses reached £1.3M per day before limited service resumed. Consumer spending dropped 22% at M&S and 11% at Co-op. The researchers state rural areas relying on Co-op saw notable disruption. The attack exposed retail supply chain and IT fragility. Supplier strain and costly IT rebuilds added to the impact.
The incidents highlight the need to stress-test crisis plans, ensure financial resilience, improve cyber hygiene across vendors, and strengthen access controls. Even a limited attack can ripple across sectors. CMC pointed out that clear crisis communication and strong recovery capabilities are essential. The CMC aims to support better cyber readiness through transparency and collaboration.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Marks & Spencer)
