Part 3 of Our Series on the 2025 M&S and Co-op Cyber Incidents
In Part 2, we explored how detection speed shaped the very different outcomes of the April 2025 cyber-attacks on Marks & Spencer (M&S) and the Co-op Group. The same threat actor used similar social engineering tactics to breach both organisations. Yet, Co-op spotted the intrusion within minutes while M&S took two days to realise what was happening.
However, detection is only part of the story. What happens after you discover a breach depends heavily on your network architecture and your ability to contain an attacker’s movement. That’s where segmentation – and the ability to manage legacy infrastructure – becomes critical.
Why Segmentation Matters
Co-op’s security team described their network as “heavily segregated”, and this architecture was central to their successful response. As Co-op’s Chief Digital Information Officer, Rob Elsey, told Parliament, the attackers “were very much focused on one specific zone,” and were unable to traverse to more critical systems.
In practice, this meant:
- Online retail continued operating
- Payment systems were unaffected
- Retail stores remained open
- Core business services were isolated from the compromised zone
Because of this segmentation, Co-op could confidently shut down remote access, contain the affected area, and continue operating most of its business with minimal disruption. Even as some backend functions fell back to manual workarounds, the customer-facing impact was limited.
Elsey’s analogy was apt: segmentation acted like watertight compartments in a ship, stopping the flooding from spreading. That’s zero trust in action – not just in theory, but by design.
M&S: When Legacy Meets Lateral Movement
Contrast this with M&S. Their infrastructure, built over decades, was far more interdependent. According to M&S’s corporate affairs director, Victoria McKenzie-Gould, “it is not possible as a retailer to have completely watertight compartments between all systems”. When the attacker struck, lateral movement was possible, and to prevent further spread, M&S chose to proactively shut down much of its estate.
Even at the height of the crisis, M&S stated that more than 50% of systems were unaffected. However, the interconnectedness of services meant that stopping the threat required shutting down functions like:
- Online retail (for 46 days)
- Distribution systems
- Payment processing integrations
- Internal coordination platforms
In other words, while some systems may have been technically unaffected, they were functionally dependent on compromised components. That’s the hidden cost of legacy – when systems are designed without segmentation, your only containment option is a full shutdown.
Zero Trust Isn't Just a Buzzword
The difference in outcomes between Co-op and M&S wasn’t due to who had better firewalls or bigger budgets. It was due to how the networks were designed, and whether they embraced zero trust principles in practice.
Zero trust architecture assumes that:
- No network segment is inherently trusted
- Access must be tightly controlled and monitored
- Identity, context, and device posture must be verified continuously
Co-op implemented zero trust structurally. Segmentation was built into the fabric of their environment, which meant they could:
- Limit attacker mobility
- Maintain business continuity
- Restore with confidence
M&S, by contrast, found themselves navigating a hybrid estate where new systems and legacy platforms coexisted, often with unavoidable dependencies. As Archie Norman, M&S Chairman, reflected, “unless you have a completely new business [architecture]… you inherit” the flaws of legacy infrastructure.
Legacy Systems: The Quiet Threat
Every large organisation has legacy IT. When left unmanaged, these systems become ticking time bombs.
M&S acknowledged that legacy systems played a central role in their risk exposure. Norman described how some platforms dated back decades, with custom interfaces, patchwork integrations, and little capacity for isolation. This created an “interconnectedness” that made targeted containment extremely difficult.
He also noted that while M&S had been investing in modernisation – including migrating away from an IBM mainframe – such transformations take years. Unfortunately, the attack came mid-journey, not at the finish line.
By contrast, Co-op’s leadership made legacy mitigation a priority. Elsey emphasised that they focused on patching what could be patched, isolating what couldn’t, and removing what was no longer supported. Their estate was continuously refreshed, modernised, and rationalised – a strategy that paid off when the breach hit.
What This Means For Security Leaders
The lesson here is not “avoid legacy”, which is impossible for most enterprises. Rather, the lesson is to treat legacy systems as inherently high risk, and design controls around that assumption.
Practical actions to consider:
1. Map Interdependencies
Know which systems rely on each other. Use application dependency mapping tools to spot hidden linkages.
2. Segment Legacy Systems
Place legacy assets in isolated network zones. Limit their access to modern systems, especially cloud-connected services.
3. Introduce Application Gateways or Proxies
Where old systems can’t be patched, sit them behind gateways that enforce modern controls.
4. Retire Redundant Tech
If systems are no longer supported or necessary, prioritise their decommissioning.
5. Use Zero Trust to Protect the Core
Don’t just build walls around the perimeter. Apply identity, access, and device verification at every critical junction, especially inside your “crown jewel” zones.
Final Thought
In cyber security, no single tactic guarantees safety. However, the case of Co-op and M&S shows that network segmentation and legacy management are fundamental.
Co-op’s design choices allowed them to amputate the affected zone and preserve the rest of the body. M&S, bound by legacy and interdependency, had to shut down core services to stay alive.
The question for security leaders is simple: if a breach hit tomorrow, could you contain it within a single segment or would your entire organisation grind to a halt?
At MTI, we help organisations answer that question with confidence by designing secure, segmented architectures, mitigating legacy risks, and embedding zero trust principles at the core. Ultimately, segmentation and zero trust are not theoretical ideals, but the difference between continuity and collapse.
In Part 4, we’ll shift focus from technology to leadership, exploring how governance, retained incident response expertise, and clear ransom policies can shape not just the outcome, but how your organisation is perceived during a cyber crisis.
–
Want to understand how MTI can help your organisation strengthen segmentation, manage legacy risk, and implement zero trust? Get in touch with our team today.