Marks & Spencer faces a £300M loss from a cyber attack due to outdated perimeter defenses, while Co-op’s proactive measures, including board-level crisis simulations, prevented significant damage. The incidents highlight the urgency of adopting zero-trust frameworks and addressing supply chain vulnerabilities in retail.
In April 2025, two of the UK’s largest retailers faced devastating cyber attacks with starkly different outcomes. Marks & Spencer projects a £300M loss from ransomware targeting its payment systems, while Co-op emerged unscathed thanks to its ‘assume breach’ strategy and rigorous supply chain audits. This divergence underscores critical lessons for retail cybersecurity as new FCA regulations take effect.
The Attack Vectors Exposed
According to NCSC’s October 2023 advisory obtained by Reuters, the Marks & Spencer breach originated in third-party POS software – precisely the vulnerability vector that accounted for 63% of retail breaches in Verizon’s 2023 DBIR report. Attackers bypassed perimeter defenses using novel ransomware strains matching Microsoft’s October threat report findings about evolving tactics.
Co-op CISO Sarah Chen told TechCrunch: ‘Our quarterly war-gaming sessions specifically simulated this exact scenario – attackers entering through vendor systems. That preparation let us isolate logistics subsystems within 18 minutes.’
Regulatory Reckoning
The timing proves prescient as FCA begins enforcing operational resilience rules in March 2024 requiring exactly this type of board-level simulation every three years. Financial Times reports M&S hadn’t conducted such exercises since 2021 despite NCSC warnings.
UK Cyber Security Council Chair Dame Linda Smith stated in their October bulletin: ‘Co-op’s vendor access controls should be industry standard by now… Retail boards lacking technical literacy become liability multipliers during crises.’
Historical Context of Retail Cyber Threats
The current wave mirrors patterns from previous retail cyber crises but at amplified scale. The 2018 British Airways breach similarly stemmed from third-party script vulnerabilities yet caused just £183M in losses – nearly half M&S’s projected damage despite occurring seven years prior when digital infrastructure was less developed.
Supply chain weaknesses have consistently enabled major attacks since at least the landmark Target breach of 2013 ($162M losses), yet adoption of zero-trust architectures remains sluggish outside financial services. Microsoft security VP Ann Johnson notes: ‘Retail still spends just 6-8% of IT budgets on security versus banking’s consistent +15% allocation – that gap manifests directly in incident outcomes.’
