Part 5 of Our Series on the 2025 M&S and Co-op Cyber Incidents
The aftermath of a cyber-attack is where the true scale of its impact is revealed. While headlines often focus on the initial disruption, the deeper costs – financial, operational, reputational, and cultural – can shape an organisation’s trajectory for years to come. For IT and security leaders, understanding these costs is critical to driving smarter, proactive investments in resilience.
In Part 4 of our series, we examined how governance, incident response retainers, and clear ransom policies influenced the management of the April 2025 cyber-attacks on Marks & Spencer (M&S) and the Co-op Group. The same attacker used near-identical social engineering tactics to breach both retailers, yet the differences in leadership readiness and principled decision-making were stark.
In this final post of our five-part series – drawing on insights from the Parliamentary hearings held on 8 July 2025 – we look at what happened after the attackers struck. Same threat actor, same initial tactic, but very different outcomes. Their contrasting recovery journeys reveal important lessons about cyber resilience, recovery readiness, and the lasting price of delay.
The Financial Fallout
M&S was unequivocal in its estimate: the attack would cost £300 million in lost operating profit. That figure reflects six weeks of frozen online operations, which typically account for around a third of M&S’s £11+ billion in annual turnover, as well as the wider disruption to fulfilment centres, logistics, and internal.
Chairman Archie Norman explained to the committee that the £300m impact did not include recoveries through insurance, which M&S expected to pursue. The company had wisely doubled its cyber insurance coverage in 2024, calling it a “prescient” move. Despite this, Norman noted that insurance claims of this scale can take up to 18 months to settle. For now, the cost is real and immediate.
In contrast, Co-op did not disclose a specific financial figure. However, the difference was plain: no systems were encrypted, online services stayed live, and stores remained open. The impact was largely confined to manual workarounds in distribution and internal functions, rather than lost sales or widespread outages. Co-op accepted some operational inefficiency but avoided large-scale financial loss. That alone is a profound return on its investment in detection, segmentation, and preparedness.
People, Pressure, and Productivity
The cost of a cyber-attack impacts more than balance sheets. The energy and wellbeing of the teams involved are to be considered too.
M&S described the experience as “traumatic”. IT staff, engineering teams, and frontline employees worked under extreme pressure for weeks. Some slept only a few hours a night, and thousands were affected by the scramble to recover. Staff in stores had to revert to paper-based processes, using calculators at tills, handwriting receipts, and manually verifying transactions. All this while dealing with customer confusion and media scrutiny.
It wasn’t just exhausting, it was unfamiliar. In many cases, staff had never used these processes or had last encountered them decades earlier. M&S leadership admitted that while the business kept trading, the disruption was significant, and morale took a hit.
At Co-op, there was still disruption, particularly in the food distribution network and funeral care services. However, the difference lay in readiness. Co-op’s staff had practised manual fallback processes as part of regular business continuity planning. Distribution centre employees knew how to revert to pen and paper and critical operations continued, albeit more slowly.
The Co-op team spoke openly about the pressure their colleagues faced, but they also spoke about team cohesion, calmness, and confidence. It was still a tough weekend, but it didn’t spiral into burnout or chaos.
Reputational Risks and Communication
Perhaps the most visible cost of a breach is reputational. Again, the two retailers diverged in this area.
M&S’s attack was front-page news. It dominated headlines for weeks. The attackers even contacted the BBC directly to confirm the breach and boast about the disruption they had caused. The optics of a beloved British high street brand being taken offline were powerful. For customers, this was about both convenience and trust. Even though M&S reported no evidence of mass data theft, the sheer scale of the shutdown shook public confidence.
To its credit, M&S communicated carefully and cooperated with authorities. However, its refusal to comment on key questions – notably whether a ransom was paid – left space for speculation. In the vacuum, reputational damage grew. The incident is likely to remain a case study for the risks of limited transparency, even when well-intentioned.
By contrast, Co-op controlled its narrative. It updated members directly. It shared indicators of compromise with peers in the sector. Its leadership spoke openly in Parliament and confirmed without hesitation that no ransom was paid, and no engagement occurred with the attackers. Co-op’s approach may not have made headlines, but it inspired confidence and showed what transparency looks like under pressure.
Insurance vs Internal Investment
M&S had cyber insurance. Co-op did not.
M&S expected its policy to help recover some of the financial losses, though it would take time. Unfortunately, insurance didn’t prevent disruption. It didn’t shorten recovery time, and it didn’t reduce reputational harm.
Co-op, by contrast, took a deliberate decision not to insure against cyber risk. Instead, it invested in internal capability: a retained incident response partner, mature governance processes, and a modernised infrastructure. That choice paid off. With no ransomware deployed and minimal business impact, they had little need for insurance anyway.
This comparison prompts a critical reflection: should we prioritise recovery mechanisms, or prevention and containment? The Co-op’s experience suggests that resilience often delivers a better return than transfer of risk.
Measuring the True Cost
When cyber professionals discuss breach impact, we tend to focus on figures – recovery costs, legal exposure, lost revenue. But the hearings made clear that the true cost includes much more:
- Trust: How do customers and stakeholders view your brand after an incident?
- Time: How long did it take to detect, respond, rebuild, and resume?
- People: What toll did it take on employees, leadership, and service teams?
- Control: Were you reacting to events, or directing them?
On all these counts, Co-op emerged more resilient. The same adversary used the same tactics, but because Co-op detected the breach quickly, segmented its systems, rehearsed its playbooks, and acted decisively, it recovered fast and retained control. M&S, while serious and responsible throughout, learned many of those lessons during the crisis – rather than before it.
Final Thought: Fortune Favours the Prepared
The contrasting experiences of Co-op and M&S underscore a vital truth – recovery costs are not fixed. They vary dramatically depending on how well organisations prepare, respond, and invest in resilience. A proactive approach to cyber defence doesn’t just reduce the likelihood of attacks; it mitigates their downstream impacts when they inevitably occur.
Resilience Investments Worth Prioritising
- Human Readiness: Upgrade workforce-wide training on resilience to include fallback processes and adaptive team strategies.
- Cyber Insurance Optimisation: Ensure policies not only cover financial losses but provide access to recovery resources promptly.
- Transparent Governance: Embed clear crisis communication plans alongside defined decision protocols for handling tough questions.
Ultimately, the Co-op’s response emphasises that resilience isn’t about avoiding impact entirely – it’s about controlling its scope, duration, and repercussions.
Building a Resilient Future
Cyber-attacks test organisations on every level, from IT infrastructure to leadership priorities. By framing resilience as an investment rather than a cost, IT departments can equip their organisations not just to recover, but to recover well – retaining trust, operational integrity, and cultural strength along the way.
The Co-op and M&S offer two paths: one defined by preparation, the other by hard lessons learned. The choice lies in the steps organisations take now to strengthen their operational, technical, and human ecosystems.
Will your organisation thrive under pressure or buckle under its weight? The answer depends on what you do today.
As this series has shown, resilience isn’t built during the incident – it’s cultivated long before it begins. The organisations that recover best are those that invest early in understanding their risks, rehearsing their response, and ensuring that detection, containment, and recovery are second nature.
That’s where MTI can help.
With over 30 years of cyber security expertise, a 24/7/365 UK-based Security Operations Centre, and as a founding member of CREST, MTI supports organisations across the entire cyber resilience lifecycle – from consult and assess, through to fully manage and continuously enhance.
Whether you’re defining where you stand today or building a roadmap to where you need to be, MTI’s end-to-end services – covering vulnerability and risk management, monitoring and incident management, and data protection and recovery – help you anticipate threats, respond effectively, and recover with confidence.
Resilience isn’t a one-time project; it’s a continuous practice. Partner with MTI to turn that practice into a competitive advantage – get in touch today.