Part 2 of our series on the 2025 M&S and Co-op cyber incidents
In Part 1, we looked at how two of the UK’s best-known retailers, Marks & Spencer (M&S) and the Co-op Group, suffered cyber-attacks within days of each other in April 2025. The same threat actor appears to have used almost identical social engineering tactics to gain access to both organisations.
Yet, the outcomes could not have been more different. M&S faced weeks of disruption and an estimated £300 million loss. During the Co-op data breach, however, the threat was contained quickly and core operations were kept running. One of the biggest differences? Detection speed.
A Game of Minutes vs. Days
At Co-op, the breach began when attackers impersonated a staff member and convinced IT support to reset their credentials – a classic but highly effective social engineering tactic. Before the attackers could do much damage, Co-op’s internal monitoring systems had already raised the alarm.
“We saw that a normal user account was suddenly behaving maliciously,” said Rob Elsey, Co-op’s Chief Digital Information Officer. “Our cyber-defences kicked in immediately and restricted the activities of the account”.
That phrase “immediately” speaks volumes. Co-op’s Security Operations Centre (SOC) flagged the abnormal behaviour almost as soon as it occurred. Within 24 hours, they had locked down compromised accounts, initiated remote access restrictions, and activated their incident response processes. By the time the weekend arrived, their internal crisis team had convened, investigations were underway, and the threat was contained.
Compare that with M&S. The attackers infiltrated their environment on the 17th April. According to Archie Norman, M&s’s Chairman, “it became evident to us in the late afternoon of the 19th April that they were in the system”. That’s two full days of silent lateral movement – enough time for the attacker to map systems, escalate privileges, and prepare for a major ransomware payload.
By the time M&S held its first crisis meeting at 10pm on the 19th April, it was already too late to stop the attacker’s progress. What followed was a multi-week process of containment, recovery, and rebuild – including 46 days of suspended online operations and an estimated £300 million impact on profits.
The Value of Early Detection
This stark contrast isn’t entirely based on misfortune. Rather, it reflects the critical role of real-time monitoring, behavioural analytics, and automated alerting in modern cyber defence.
Co-op’s success in detecting malicious activity quickly suggests the presence of:
- Advanced User and Entity Behaviour Analytics (UEBA)
- A 24/7 Security Operations Centre
- Effective baseline monitoring for ‘normal’ vs. ‘abnormal’ user activity
- A team empowered to act without bureaucratic delay
Contrast this with M&S, where the attackers had two unchallenged days inside the network. In the current threat landscape, that’s an eternity. Time is key for threat actors – the longer they remain undetected, the more damage they can do.
From Alarm to Action
Detection speed is one thing, but decisive action is another.
At Co-op, once the alert was triggered, the cyber team didn’t waste time validating. Instead, they initiated containment, escalated internally, and brought in pre-contracted forensic partners by Day 2. This allowed for a parallel response – internal teams secured operations while external experts dissected the incident and advised on next steps.
This fast mobilisation is a hallmark of a well-rehearsed incident response plan. It indicates that the team not only had the right tools in place, but also the authority, processes, and muscles memory to act fast and effectively. As Elsey testified, they’d practised this scenario before – and it showed.
At M&S, there was no indication of any real-time alert. Detection relied more on pattern recognition in the broader environment than on behavioural triggers from a specific account. Plus, while M&S also had incident response partners, the evidence suggests those engagements came after the initial damage was done. Without early detection, even the best responders can only triage the aftermath.
The Cost of Delay
Let’s quantify the consequences of this timing gap:
- M&S suffered prolonged online outages, system rebuilds, reputational harm, and intense operational stress across stores and support teams.
- Co-op experienced no downtime to its online retail or payment systems, continued serving customers, and was largely back to business-as-usual within days.
Time wasn’t just money in these scenarios – it was the difference between a controlled incident and a public crisis.
As M&S themselves admitted: “Once a cyber attack has any success, you are then in a multi-week process of systems rebuilding”. That’s the brutal truth of ransomware, if you don’t catch it early, you will be rebuilding for weeks to come.
Lessons for Security Leaders
- Invest in detection, not just defence
Perimeter security will fail. Detection systems – especially those focused on behavioural anomalies – are your early warning system.
- Automate where possible
Detection is only useful if it triggers a response. Automate policy-based account lockouts, privilege reductions, and alert escalations to cut through the noise.
- Rehearse the first 24 hours
You won’t have days to deliberate. Train your SOC, IT, legal, and communications teams on how to act immediately upon credible alerts.
- Empower the right people
Again, detection is only effective if those receiving the alerts have authority to act. Remove bottlenecks between detection and containment.
5. Measure mean time to detect (MTTD)
Track your average detection time. If it’s measured in hours, you’re in a good place. If it’s days – you’ve got work to do.
Final Thought
The 2025 Co-op and M&S breaches may well have involved the same threat group. However, as we have seen, the results were anything but similar. Co-op detected and reacted within minutes, emerging largely unscathed. M&S spotted the breach two days late, and paid the price.
For those leading cyber security functions, the message is clear. In the case of a cyber incident, time is the single most valuable asset you have. The faster you detect, the more options you retain – and the greater your chances are of salvaging your systems.
Turning those lessons into practice is often easier said than done. That’s why many organisations rely on trusted partners to strengthen detection and response. At MTI, we work with enterprises to design, deploy, and manage real-time monitoring, 24/7 SOC services, and incident response readiness – ensuring that when minutes matter, your teams are ready.
What's Next In The Series?
In Part 3, we’ll be looking at another decisive factor: how network segmentation and legacy infrastructure shaped the impact of each attack, and why architecture matters just as much as detection speed.