Published by Global Banking & Finance Review®
Posted on May 6, 2025
3 min readLast updated: January 24, 2026
Cyberattacks on M&S and Co-op involved hackers impersonating employees to reset passwords via IT help desks, causing significant disruptions.
LONDON (Reuters) -Cyberattacks on Britain's Marks & Spencer and Co-op Group started with hackers impersonating employees while contacting the retailers' IT help desks, technology specialist site BleepingComputer reported.
The site said the hackers were able to convince the help desks to reset the impersonated employees' passwords so they could gain access to the network.
It said this is why Britain's National Cyber Security Centre has recommended that all companies review their help desk processes to detect and block these types of breaches.
"Criminal activity online – including, but not limited to, ransomware and data extortion – is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared," Jonathon Ellison and Ollie Whitehouse, respectively national resilience director and chief technology officer at Britain's cyber security centre, said in a joint blog post.
Both M&S and the Co-op declined to comment on the BleepingComputer report.
Shares in M&S were down 4% on Tuesday, extending losses since it first disclosed the cyber incident on April 22 to 12%.
On April 25, M&S stopped taking clothing and home orders through its website and app.
It has not said when online ordering will resume, while the availability of some food products has also been affected. It has also not disclosed the financial impact.
Analysts at Deutsche Bank estimate a profit hit of about 30 million pounds ($40 million) so far and the run rate at about 15 million pounds a week, given the knock-on effect on food.
They said cyber insurance would likely cover most of the 30 million pounds but that cover is generally for a limited amount of time.
"The biggest costs from a cyber attack is usually the cost of lost business and, if sensitive consumer data is compromised, any fines and loss of reputation," they said.
Other expenses include immediate remediation with external cyber security and IT technology partners and future-proofing the business.
The disruption could last for weeks.
Ciaran Martin, the former CEO of the National Cyber Security Centre told Reuters that, after such a serious attack, the length of the recovery period at M&S was not unusual so far, given the need to rebuild computer networks.
Last week, a group calling itself DragonForce told the BBC it had stolen the data of staff and potentially 20 million customers from the Co-op and was also behind attacks on M&S and London department store Harrods.
BleepingComputer, citing multiple sources, had previously said the attack on M&S was believed to have been conducted by a hacking collective known as "Scattered Spider" deploying DragonForce ransomware.
The National Cyber Security Centre said it could not say if the attacks were linked.
($1 = 0.7526 pounds)
(Reporting by James Davey; editing by Barbara Lewis)
The cyberattacks started with hackers impersonating employees while contacting the retailers' IT help desks to reset passwords.
Analysts estimate a profit hit of about 30 million pounds so far, with a run rate of about 15 million pounds a week due to the disruption.
The National Cyber Security Centre recommended that all companies review their help desk processes to detect and block these types of breaches.
The disruption could last for weeks, according to experts.
A group calling itself DragonForce claimed to have stolen data from Co-op and was also behind attacks on M&S.
Explore more articles in the Headlines category
