Cost of M&S and Co-op cyber attacks up to £440m – CMC

The total financial impact of the recent cyber attacks experienced by retailers Marks and Spencer (M&S) and Co-op is somewhere in the region of £270m to £440m, according to a report released by the Cyber Monitoring Centre (CMC).

The attacks – classified as category two out of five by the CMC for their financial impact and affected population – resulted in a suite of losses for the firms, including direct business interruptions for both the retailers and their suppliers, incident response and IT restoration costs and legal and notification costs.

CMC described the attacks as “narrow and deep”, meaning they resulted in significant disruption for a small number of firms, in contrast to “shallow and broad” events such as 2024’s CrowdStrike incident, where a large number of firms were less intensely affected.

Both firms suffered near total disruption to their online services, while M&S saw an estimated 15% fall in in-store sales and Co-op saw in-store sales fall by 11% on average for the first 30 days of the attack, according to the CMC.

CMC advice

The CMC’s estimates are based on public and commercial data sources. CMC said there is no evidence either firm paid a ransom during the cyber attacks and, as such, this potential figure was not included in calculations.

The CMC report also highlighted several key areas which could help mitigate future events, including “stress-testing business continuity and crisis response plans for ransomware attacks, ensuring financial stability and flexibility, improving cyber hygiene across service providers and the IT services supply chain and highlighting the importance of access and identity management”.

It added: ”Costs from business interruption – and the costs of IT recovery – can quickly mount up and retailers, like all businesses, should run stress tests and make sure they have capital available or adequate insurance protection to enable recovery.”