In April 2025, two of the UK’s most recognized retail brands — Co-op and Marks & Spencer — found themselves in the cybersecurity spotlight, both experiencing serious disruptions caused by cyber threats. While one incident was a full-blown cyberattack and the other a successful attempt that forced proactive action, both sent a powerful message to the retail and security communities alike: no organization is too traditional, too big, or too “offline” to be a target.
What Happened?
Let’s start with the Co-op. On April 29, the company confirmed that it had shut down parts of its internal IT systems after detecting a potential cyberattack. This wasn’t just a precautionary firewall tweak — the disruption affected business services, including remote access for employees and access to internal systems. While Co-op acted quickly and no customer-facing services were compromised, it was a clear sign of how fast threats can reach core business operations.
Just days earlier, Marks & Spencer (M&S) was hit by a much more visible cyberattack. Customers reported broken payment systems, website downtime, and stock-level chaos in stores. The attack was widespread enough to impact their online ordering platform and resulted in a dip in their share price. It was a stark reminder that even companies with robust digital infrastructure can be vulnerable to well-executed breaches.
A Pattern Emerging?
What makes these two events so concerning isn’t just the timing — it’s the potential coordination. The UK’s National Cyber Security Centre (NCSC) is investigating whether the attacks may be linked, possibly signaling a targeted campaign against major British retailers. If that’s the case, this goes beyond opportunistic hacking and edges into the territory of organized cybercrime or even state-backed economic disruption.
Lessons in Vulnerability
As security professionals, we often focus on critical infrastructure, fintech, and healthcare as prime cyber targets — but the retail sector is just as exposed, often with more sprawling, legacy systems to protect. Here are a few takeaways worth considering:
- Legacy Tech Is a Liability
Retailers often rely on a mix of old and new tech. When systems aren’t patched regularly or integrated securely, they become soft targets for exploitation. - Proactive Response Pays Off
Co-op’s decision to shut down affected systems quickly may have prevented a worse breach. Having a clear incident response plan in place before a breach is what separates a smart defense from a PR disaster. - Visibility Is Critical
Tools like SIEM, EDR, and XDR aren’t just for show — they help security teams catch early signals before attackers get too deep. The earlier the detection, the lower the impact. - Consumer Trust Is Fragile
For companies like M&S, even a few hours of downtime can lead to significant losses — not just financially, but in reputation. Transparency and communication during an incident are essential.
How Companies Can Get Ahead
If you’re managing cybersecurity for a retail (or similar) environment, now is the time to review your security posture. Here’s a quick checklist:
- ✅ Are your patching and update processes automated and enforced?
- ✅ Have you recently tested your incident response plan end-to-end?
- ✅ Are you monitoring for unusual activity across all endpoints, especially legacy ones?
- ✅ Is there clear coordination between IT, security, and business continuity teams?
If the answer to any of these is “I think so,” it’s time to dig deeper.
Looking Ahead
We’ll likely hear more details about the Co-op and M&S attacks in the coming weeks — and whether they were indeed connected. But we don’t need to wait for a headline to take action. The retail sector is on the front lines of cybersecurity risk, and incidents like these are only going to increase in complexity and frequency.
If you’re a cybersecurity practitioner: stay alert, keep learning, and don’t wait for the breach to get serious about your defenses.
And if you’re a consumer? Give a little grace — behind the checkout screen, there’s a war going on you can’t see.
Shreeya Naik 