M&S and Co-op: What we know weeks after cyber attacks

STV News

12-05-2025

Weeks on from the cyber attack that hit several major British retailers, many are still unable to return to normal operation and are unwilling to estimate when everything will be repaired.
On Friday, 25 April, M&S halted online orders after it reported being a victim of a cyber attack.
Just under a week later, the Co-op revealed it was also the victim of an attempted hack and that several of its services had been impacted. Luxury retailer Harrods was also affected.
Now, more than two weeks on from the original hack, M&S still cannot process sales online, and Co-op has only just managed to get its shelves stocked.
They are also declining to offer any timeline on when things may return to normal.
Cabinet Office minister Pat McFadden said the wave of attacks on UK businesses should be a 'wake-up' call for the industry.
What have we learned since the attack?
Although M&S and Co-op have not released much information about the attacks, it is becoming clear that it was not a small incident.
It has been estimated that each day their website is offline, M&S loses £3.5 million. Half a billion pounds has also been wiped off its share price.
Co-op also said the data of a significant number of their customers had been stolen, and they had issues with taking card payments.
ITV News learned that in the wake of the attack, loyalty cards, handheld scanners and apps used to report security incidents in M&S stores were all impacted. Numerous products have been taken offline as a result of the hack. / Credit: PA
Reports emerged claiming that a hacking group known as Scattered Spider was behind the attack.
The group is notorious in the online criminal world for targeting large companies and breaching their data.
It is believed the attackers used a piece of ransomware called Dragonforce to cripple the system.
Cyber security expert Graham Cluley told ITV News: 'Attacks involving the DragonForce ransomware usually start with exploitation of known vulnerabilities – often involving corporate systems that have not been kept up-to-date with the latest security patches, or because they have not been configured properly.'
Tech specialist website BleepingComputer reported that hackers tricked Co-op and Marks & Spencer IT help desk workers into gaining access to the companies' systems.
It is believed they used a method known as sim-swapping to steal a person's phone number and other key pieces of data in order to effectively impersonate someone and give businesses access to their account.
Scattered Spider has used this tactic in the past.
It is believed that once they had enough access, they used M&S's Active Directory, a Microsoft product that connects internal networks and stores information.
Cyber security expert, Professor Alan Woodward, told ITV News: 'Active Directory is a Microsoft product, which allows you to log in once and access all the systems.
'There's a suggestion that they managed to get in and get one of the files out of there, which contains passwords, etc. Empty shelves inside a Marks & Spencer days after the attack. / Credit: PA
'They probably wouldn't have been able to get the passwords out of the file, but if they could get in that far, then they could probably do something to mess up the network.'
Industry expert Sam Kirkman from cybersecurity firm NetSPI said the hackers had likely gained access to M&S's core systems which means they can 'cripple multiple areas of a business at once, maximising their impact and making it very difficult to recover without extensive rebuilding of key IT systems – which takes time.'
It is believed that one of the reasons both M&S and Co-op are taking so long to get their services back to normal is that they have not paid the ransom demanded by the hackers, which is the advice of the UK government.
What are the businesses saying?
Not much. When ITV News contacted M&S, it said it had no new update about when all of its services would return to normal.
The last update from M&S was 10 days ago when their CEO, Stuart Machin, said in a statement they were working 'day and night' to restore their services.
This is despite the fact that it has been almost three weeks since they disabled online orders on their website.
If you try and order an item of clothing from M&S's website, it just says: 'We have paused online orders. Products remain available to browse online and stores are open.'
Co-op told ITV News all of their stores were receiving deliveries as of Monday morning.
But they did say: 'Some of our stores might not have all their usual products available and we are sorry if this is the case for our members' and customers in their local store. We are working around the clock to reduce disruption and are pleased to have resumed delivery of stock to our shelves.'
Local media and social posts online have shown both Co-op and M&S shelves empty with apology notices saying they had issues with stock delivery.
Get all the latest news from around the country Follow STV News
Scan the QR code on your mobile device for all the latest news from around the country