M&S and Co-op Cyber Security Case Study: What Local Businesses Can Learn

Outsourced IT support helping employees in office

2025 was a big year for cyber security headlines in the UK, with two of our biggest stores suffering high profile cyber attacks: Marks and Spencer and The Co-op.

Around a year on, here’s a breakdown of what happened, how Co-op’s cyber security measures helped them come out on top and what local businesses can learn.

M&S and Co-op 2025 cyber attacks: the timeline

Malicious activity reportedly began occurring as early as February 2025 and it wasn’t until August that business returned to normal for M&S. That’s 6 months of business impact, without considering the long-term damage on reputation and customer relationships.

Here’s a top-line look at the timeline of the cyber attacks.

	M&S	Co-op
Feb 2025	Undetected social engineering attack believed to occur Attackers believed to gain access through social engineering. Goes undetected for 2 months.	—
22^nd–30^th April 2025	Payment systems fail; M&S servers encrypted; all online orders suspended Customers unable to use contactless payments or click & collect across M&S stores over Easter weekend. Ransomware deployed impacting e-commerce, payment processing and logistics. On 25^th April, all UK & Ireland online sales and app orders stopped.	Co-op breach caught within an hour Attacker impersonates a colleague & resets account on 25^th April. SOC detects unusual behaviour almost immediately and response launched within the hour. Systems shut down & VPN access cut.
13^th May 2025	Customer data theft confirmed M&S confirms personal data stolen (names, email addresses, postal addresses, dates of birth).	Data accessed and supply disruption Co-op confirms data was accessed but ransomware was not successfully deployed. Store supply disruption & Funeral business reverts to paper-based systems in May and June caused by decision to shut down back-office systems to limit attack damage. On 16^th July, Co-op CEO confirms that names, addresses and contact details of all 6.5 million Co-op members were taken.
10^th June 2025	Some online orders resume 46 days after suspension Click & collect remains down.
August 2025	Click & collect restored 15 weeks after attack Competitor Next upgrades profit forecast for fourth time, citing ‘competitor disruption’ (i.e. the M&S cyber attack) in its trading statement.	—

The Numbers

M&S

Impact of the 2025 cyber attack

Profit impact

£300m

Est. operating profit impact, full year (before mitigations)

Stores offline

46 days

Online orders suspended; click & collect down for 15 weeks

Sales impact

−42.9%

Fashion online sales, H1 2025 vs H1 2024. Competitors’ profits rose as customers switched.

Market value lost

>£1bn

Stock market value wiped at peak

Co-op

Impact of the 2025 cyber attack

Profit impact

£107m

Full-year profitability impact

Stores offline

None

No stores taken offline, although supply disruption led to empty shelves

Sales impact

−2.1%

Total group revenue; grocery revenue −1.6%, H1 2025 vs H1 2024

Market value lost

N/A

Mutual society — not publicly listed

What Co-op did differently, AND WHAT THIS MEANS FOR YOUR BUSINESS

Expert view: Shirine Khoury-Haq, The Co-op Group

“On April 25th, our Co-op was the victim of a multi-stage cyber attack… Our routine investment in security, the deliberate segregation of systems and frequent testing laid a strong foundation for our response to this cyber attack. It was, however, the extraordinary talent of our in-house teams and partners that made the difference.“

Even with strong preparation, Co-op still took a significant hit. But their investment in security meant the attack was contained in minutes rather than months, and the damage was a fraction of what it could have been.

The right measures won’t make your business invincible. But they’ll help make sure that when something happens, it doesn’t become a crisis you can’t recover from.

According to Hiscox’s 2025 Cyber Readiness Report, 94% of SMEs plan to increase their cyber security investment in the next 12 months. They’re updating employee training (70%), hiring specialist staff (60%), and investing in software to identify and manage threats (54%). Are you with them?

Too often, businesses only take cyber security seriously after they’ve suffered an attack which could’ve cost them considerable amounts of money and significant reputational damage. This is our plea to you to not be one of those businesses. Speak to us today to get your free cyber security review booked in.