In April 2025, major UK retailers Marks & Spencer and Co-op were hit by coordinated cyber intrusions that authorities are now labeling as a “single, consolidated cyber event.” This classification comes from the Cyber Monitoring Centre (CMC), an independent nonprofit established by the insurance sector to track and assess large-scale digital threats.
According to the CMC’s evaluation, multiple indicators—such as a shared claim of responsibility by a single hacker group, synchronized timing, and the use of matching attack techniques—point to a unified operation rather than separate breaches.
The center has officially categorized the event as a Category 2 systemic disruption, suggesting serious consequences for both companies and their wider networks. Current projections estimate the financial toll from the breaches could fall between £270 million and £440 million, equivalent to roughly $363 million to $592 million USD.
While another cyberattack targeting Harrods occurred around the same time, it has not been grouped with the others due to limited data on its origin and effects.
Social Engineering Behind Initial Access
The method used to infiltrate the systems at both M&S and Co-op involved social engineering, particularly attacks aimed at their IT support channels. The hackers reportedly impersonated IT personnel to manipulate staff into granting access.
Though investigations are ongoing, preliminary findings point to Scattered Spider, also identified as UNC3944, as the likely perpetrator. This group, which stems from the broader cybercrime network The Com, is notorious for exploiting its native English-speaking members in highly convincing impersonation schemes, targeting internal support desks to gain unauthorized entry.
“The impact of the incident is significant but concentrated,” said a representative from the CMC, highlighting that while only two major organizations were directly affected, the ripples have reached vendors, business partners, and other third-party service providers.
U.S. Insurance Sector on High Alert
New intelligence from the Google Threat Intelligence Group (GTIG) has revealed that Scattered Spider may now be shifting its attention to major U.S. insurance firms. GTIG’s chief analyst, John Hultquist, warned that companies in the sector should prepare for similar social engineering attempts, especially targeting help desk operations and call centers.
Hultquist also noted that while the threat from Iranian cyber groups has recently been in the spotlight, actors like Scattered Spider are already executing sophisticated attacks on critical infrastructure. He predicted a rise in high-profile cyber events as such groups rotate focus across industries.
TCS and Qilin Developments
In a related development, Tata Consultancy Services (TCS) confirmed that neither its systems nor personnel were compromised during the M&S breach. Nonetheless, internal reviews are underway following reports that TCS infrastructure might have been misused as a launching point for the attack, according to a Financial Times article.
Meanwhile, the Qilin ransomware group has reportedly unveiled a new extortion strategy. In an effort to increase pressure during ransom negotiations, the group is now offering victims legal guidance. They also claim to have a dedicated team of content creators and journalists prepared to publish information and shape public narratives as part of their coercion tactics.
