In 2025, two of the UK’s most recognisable retail brands, Marks & Spencer (M&S) and Co-op, experienced major cyber incidents.

Both involved the compromise of customer data, but how each company responded has become a case study in contrast: one that offers valuable lessons in transparency, crisis response, and customer protection.

This article explores the timeline, actions taken, and consequences — with a view to helping other businesses improve how they respond to cyber breaches.

What Happened?

M&S: Delay, Uncertainty, and Customer Backlash

On 21 April 2025, Marks & Spencer (M&S) fell victim to a sophisticated cyberattack that severely disrupted its operations.

The attackers, believed to be the Scattered Spider group, reportedly accessed systems as early as February using social engineering to gain credentials. They extracted Active Directory data (NTDS.dit), deployed DragonForce ransomware, and encrypted critical internal systems.

The impact was immediate: online orders, click-and-collect services, and contactless payments were all suspended, causing widespread disruption and customer frustration. Financial analysts estimated losses of around £26 million per week, with share prices dropping by over 15%, wiping more than £1 billion from M&S’s market value.

Despite the breach being confirmed in April, M&S did not notify customers that their personal data - including names, contact details, and order histories - had been stolen until 13 May. Although payment details and passwords were not reportedly compromised, the delay in notification sparked public concern over missed opportunities for customers to take protective action.

In summary:

• The cyberattack occurred around 21 April 2025.

• Customers were not notified until nearly three weeks later, in mid-May.

• Stolen data included names, contact details, and order histories — potentially valuable for phishing and fraud.

• M&S CEO received the ransom note via a hijacked internal email account belonging to a contractor from third-party vendor TCS.

• Online ordering was suspended for over three weeks, with estimates suggesting losses of £26 million per week.

• Public confidence was visibly shaken, with criticism over the delay and lack of clarity.

Co-op: Swift Disclosure and Containment

In late April 2025, the Co-operative Group (Co-op) detected unauthorised access attempts within its IT systems.

Acting quickly, Co-op shut down parts of its digital infrastructure to contain the breach, thereby minimising the threat and limiting disruption.

The incident temporarily affected stock ordering systems, causing empty shelves in some stores — particularly in rural areas. However, core retail operations across its 2,300 food stores remained functional. By 14 May, Co-op confirmed its systems were fully restored, stock availability had improved, and all payment methods were operational.

Co-op was transparent from the outset, notifying customers that names and contact details had been accessed. While no financial data or passwords were believed to be compromised, the company’s proactive communication and swift recovery efforts were praised for limiting both reputational and operational damage.

In summary:

• Co-op detected unauthorised activity around the same time, in late April.

• They disclosed the breach within days, warning customers and the media.

• Personal data of customers and members was compromised, but systems were restored within two weeks.

• Although stock delivery and internal systems were temporarily impacted, operations resumed quickly, and public trust was largely retained.

Why Timing Matters in Breach Disclosure

M&S’s delay in informing customers created a critical window during which cybercriminals could exploit stolen data.

In contrast, Co-op’s early disclosure allowed affected individuals to act quickly and limit potential harm. During the three weeks before M&S customers were notified, criminals could have used the stolen data to:

• Send targeted phishing emails, using real order histories to increase credibility

• Commit identity theft, potentially opening fraudulent accounts

• Attempt credential stuffing, especially if passwords were reused elsewhere

• Sell verified customer data on dark web marketplaces

• Launch social engineering campaigns, posing as M&S customer service or delivery providers

How Co-op Reduced the Severity of the Attack

Co-op’s response shows the value of speed, communication, and customer focus:

• Immediate containment actions

• Transparent public updates

• Practical security advice for customers

• Rapid system restoration and business continuity planning

Key Lessons for Businesses

1. Speed is crucial

   Delays benefit attackers. Quick notifications empower customers to protect themselves.
   

2. Transparency matters

   Clear, honest communication builds trust. Silence does not.
   

3. Be ready before it happens

   Well-tested incident response plans and cyber exercising make all the difference.
   

4. Data breaches are never isolated

   Stolen data fuels phishing, fraud, and long-tail attacks.
   

5. Reputation recovery is harder than prevention

   Your response defines public perception long after the breach.

What to Do If You Were Affected by the M&S or Co-op Breach

1. Change your passwords

   Use strong, unique passwords for each online service. Avoid reusing old credentials.

   
   

2. Enable multi-factor authentication (MFA)

   Adds a vital security layer even if credentials are stolen.

   
   

3. Be alert to scams

   Watch for suspicious messages, especially those claiming to be from M&S or your bank. Never click unfamiliar links or attachments.
   

4. Monitor your financial accounts

   Check for unauthorised transactions and consider setting up fraud alerts with your bank.

   
   

5. Use credit monitoring services

   Especially if your contact details were exposed. These can alert you to unusual activity in your name.

   
   

6. Report suspicious activity

   To Action Fraud in the UK or your bank’s fraud department.

How STORM Guidance Can Help

✔ Expert guidance in data breach response and containment

✔ Strategic support in customer communication planning

✔ Threat intelligence to monitor dark web marketplaces

✔ Post-breach auditing and risk mitigation

✔ Scenario-based incident exercising to strengthen your defences

Both Co-op and M&S were targeted by advanced cyber attackers. But their responses shaped very different outcomes.

Where one delayed, the other disclosed.

Where one hesitated, the other acted.

For business leaders, the lesson is clear: you may not control when a breach happens — but you control how prepared you are, and how you respond.

Explore Storm Guidance’s cybersecurity services to build a more resilient, better-prepared organisation.