Part 1 of our series on the 2025 M&S and Co-op cyber incidents
In April 2025, two of the UK’s best-known retailers, Marks & Spencer (M&S) and the Co-op Group, were hit by cyber-attacks just days apart. The UK Parliament’s Business and Trade Sub-Committee oral evidence session on 8 July 2025 gave the public a rare and detailed insight into how both incidents unfolded and how each organisation responded.
The same adversary appears to have been behind both attacks, using near-identical social engineering techniques to gain initial access. Yet despite these similarities, the outcomes could not have been more different.
M&S endured significant operational shutdown, long-term disruption to its online business, reputational damage, and an estimated £300 million loss in profit. The Co-op, by contrast, detected the breach within minutes, contained the attacker quickly, and suffered minimal disruption to customer-facing services.
This blog is the first in a five-part series exploring the key differences between these two cases and what cyber professionals can learn from them. Over the series, we’ll cover:
- Detection and response speed – How minutes vs days made all the difference.
- Network segmentation and legacy risk – Why design and modernisation matter in containment.
- Governance, retained expertise, and ransom policy – The role of leadership and principle under pressure.
- Recovery, risk management, and reputations – Measuring the true cost of a breach.
Same Adversaries, Same Entry Point
As revealed in the hearings, both organisations were compromised through sophisticated social engineering tactics. M&S chairman Archie Norman described the breach on 17 April as stemming from “what people now call social engineering… a euphemism for impersonation”. Attackers tricked internal staff into resetting credentials for a valid user account, likely leveraging information harvested from third parties.
Just over a week later, on 25 April, Co-op suffered a remarkably similar breach. Rob Elsey, the Co-op’s Chief Digital Information Officer, stated: “They were able to impersonate a colleague and successfully answer a number of security questions to get their account reset”.
In both cases, it wasn’t firewalls or zero-day exploits that failed – it was people. The attackers bypassed the front gate by exploiting trust. This underscores a fundamental truth in cybersecurity: even well-defended perimeters can be undone by human error, especially when attackers are patient, credible, and well-prepared.
Divergence at the Point of Detection
It’s what happened after initial access that truly shaped the outcomes.
Co-op’s internal defences spotted malicious activity within minutes. Their SOC was immediately alerted by unusual account behaviour, and response measures were launched within the hour. “Our cyber-defences kicked in immediately and restricted the activities of that account,” said Elsey. A full incident management process was initiated within 24 hours, and containment actions – including VPN lockdowns and forensic analysis – were already underway that weekend.
In stark contrast, M&S did not detect the breach until two days later. The attackers gained access on 17 April, but it was only in the late afternoon of 19 April that M&S’s leadership realised something was wrong. Their first crisis meeting took place at 10 p.m. that evening. By that point, the attackers had already moved laterally through M&S’s infrastructure, entrenched themselves, and deployed ransomware.
This delay was catastrophic. As Norman put it, “Once a cyber-attack has any success… you are then in a multi-week process of systems rebuilding”. By the time M&S spotted the fire, it had already engulfed the house.
When Speed Meets Segmentation
A second factor in the Co-op’s successful defence was network architecture. Their systems were heavily segmented – part of a broader zero trust strategy. “This was very much focused on one specific zone,” said Elsey. Critical services like online retail and payments were kept on separate infrastructure, insulated from the breach. Even when parts of the back-end were paused, core operations continued uninterrupted.
At M&S, legacy systems and tightly coupled infrastructure meant that to contain the threat, the organisation had to bring down broad swathes of their environment. Online shopping was suspended, distribution halted, and even in-store systems partially reverted to manual modes. Although M&S claimed that over 50% of systems were unaffected, the interdependencies made targeted containment difficult.
Different Cultures, Different Trajectories
While detection speed and segmentation are technical factors, organisational culture played a decisive role too.
Co-op had regularly rehearsed cyber incidents at both board and technical levels. War games, crisis simulations, and red team testing were all part of their routine. So, when the real thing hit, they weren’t improvising – they were enacting a well-rehearsed playbook.
Elsey noted that the most useful preparation wasn’t just technical – it was practising how to make decisions under pressure. Staff at distribution centres swiftly reverted to manual processes; funeral services kept operating with paper-based systems; critical priorities were triaged in real time.
M&S had also increased its cyber investment, tripling headcount and doubling spend in recent years. But the hearings suggested that readiness on paper did not fully translate into effectiveness in practice. The attack’s scale overwhelmed even these increased resources. Staff described the incident as “traumatic,” with some sleeping only a few hours a night as systems were rebuilt.
The Bigger Picture for IT Departments
These contrasting outcomes underscore the importance of bridging three critical cyber pillars, detection, response, and resilience. For IT teams in both the public and private sectors, the insights from these incidents provide a clear roadmap for improvement.
- Fast Detection Changes the Game
Sophisticated attackers exploit every minute they remain undetected. Deploying tools like behavioural analytics and real-time anomaly detection can dramatically shorten response times.
- Preparation is Non-Negotiable
Incident response needs to be a practised skill, not an abstract policy. This includes running red-team simulations, stress-testing recovery plans, and rehearsing crisis communications.
- Infrastructure Matters
Legacy systems and poorly segmented networks are liabilities. Investing in zero trust principles and micro-segmentation provides a powerful safeguard, limiting the damage cyber-attacks can inflict.
- Cybersecurity is Cultural
At the Co-op, the organisation-wide mindset assumed breaches were inevitable and placed trust in processes designed to mitigate them. This cultural perception of cybersecurity as everyone’s responsibility, and not just IT’s, was a game-changer.
If you’re looking to strengthen your own defences and uncover hidden vulnerabilities before attackers do, MTI’s cybersecurity assessments can help you see exactly where you stand – and how to get ahead of the next threat.
What’s Next in the Series?
This blog is just the beginning. Over the course of the series, we’ll break down the key areas IT professionals must focus on to build better resilience. Each post will examine one aspect in detail, such as detection speed, the technical and organisational costs of legacy systems, and strategies for transparency during incident response.
Next in the series: In Blog 2, “Speed vs Delay – How Co-op’s Fast Detection Saved the Day”, we’ll take a closer look at how detection speed shaped both incidents, and what it tells us about building a truly capable monitoring and response function.