The financial impact of the recent cyber incident on Marks & Spencer (M&S) and the Co-op could be as much as £440m, according to estimates by the Cyber Monitoring Centre (CMC).

In April 2025 UK retailers M&S and the Co-op both suffered a major breach. The cyber attacks not only significantly disrupted online and in-store services at both companies, but also resulted in personal customer data being stolen.

The attacks were publicly claimed by representatives of the DragonForce ransomware-as-a-service operation.

Scattered Spider, an affiliate collective, carried out the attacks using DragonForce’s tools.

CMC – an independent, non-profit body categorising major cyber events – has performed an assessment of the financial impact of the attacks.

It says it is treating the attacks as “single combined cyber event” because one threat actor claimed responsibility for both; the two events happened close together; and similar tactics, techniques and procedures were used. 

Classified as a Category 2 systemic event, CMC said the impact from this event is “narrow and deep”, having significant implications for both companies and knock-on effects for suppliers, partners and service providers.

It estimates the total financial impact across affected parties at £270m to £440m. 

This, it states, contrasts with a “shallow and broad” event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to any one company was far smaller.

CMC revealed that although both of the targeted companies suffered business disruption, data loss and costs for incident response and IT rebuild, business disruption drives the vast majority of the financial cost. 

M&S has forecast the attack could cost its business around £300m in lost operating profit in its financial year. 

CMC states that its assessment is broadly consistent with this forecast amount.

CMC’s model indicated that the financial impact of having no online sales was a loss to M&S’s business of just over £1.3m per day. This is less than the total loss in turnover as it takes into account reductions in orders, stock that can be resold later and not having to pay other variable costs. 

The estimates do not include any ransom payments as CMC said there is no evidence at this point that a ransom was paid or not paid.

The assessment does not include an incident affecting UK retailer Harrods at a similar time, with CMC citing a low level of information available about the cause and impact.

A number of major cyber attacks across the UK have impacted a variety of sectors in recent months. A cyber attack on the UK’s legal aid systems in April was able to extract a “large amount of information” relating to applicants including criminal records.