After M&S and Co-op’s cyber hacks, who’s next?

Yasmeen Louis
M&S Co-op We sat down with a cyber legal expert, law firm Walker Morris regulatory and compliance team partner, Andrew Northage, to discuss the shockwaves these attacks have sent through the grocery sector, what grocers could be next, and why cybercrime is retail's silent crisis.
FeaturesNewsSupermarkets

The grocery sector is under siege, or so it seems.

In the space of a week, two of the UK’s most recognised supermarkets – M&S and Co-op – have fallen victim to significant cyber attacks, disrupting operations, triggering consumer unease and forcing many across the sector to ask a pressing question: who might be next?

While cyber threats are hardly new to retail, the speed, scale, and successive nature of these recent attacks have amplified concerns about the sector’s preparedness, particularly when customer loyalty data, online infrastructure and third-party systems form such a critical part of supermarkets’ daily operations, making them “soft targets”.

We sat down with a cyber legal expert, law firm Walker Morris regulatory and compliance team partner, Andrew Northage, to discuss the shockwaves these attacks have sent through the grocery sector, why cybercrime is retail’s silent crisis, and which grocers could be next.

M&S: From transparency to turmoil

Marks and Spencer (M&S), while initially widely praised in the early hours of its crisis for a “proactive and transparent” response, is now learning how fast-moving cyber fallout can outpace corporate communication.

Last week, its CEO was quick to reassure the public that business was “back to normal”. The message landed well among the public on social media, who applauded the speed of the statement, and its honesty.

A statement M&S released to the public last week.

But within days, those promises had to be scaled back. Click & collect and online orders were suspended. Gaps appeared on shelves. Warehouses were disrupted and staff sent home. Remote-working employees were locked out of internal systems. And perhaps most damning in the eyes of the market; over £700 million was wiped off M&S’s value in under a week.

According to Andrew Northage, these cascading effects reveal the true core of modern cybercrime: A successful attack can compromise logistics, marketing, staffing, customer trust, and investor confidence – all in one fell swoop.

Co-op: the customer data risk

Meanwhile, the Co-op’s breach took a different but no less worrying form: the compromised security of its 20 million Co-op members’ personal data.

Last week, a spokesperson for the business, which consists of 2500 supermarkets, 800 funeral homes, an insurance division and around 70,000 staff, notified that the attack had exposed “data relating to a significant number of our current and past members”.

Yet, while Co-op has reassured the public that there was “no evidence that customer data was compromised”, the anonymous group behind the attack reportedly alerted the BBC late last week that it had accessed more data than Co-op had declared.

Speaking to the publication, the hackers said: “Hello, we exfiltrated the data from your company. We have customer database, and Co-op member card data.”

Ransomware group Dragonforce then allegedly sent the BBC a sample of 10,000 customers data including Co-op membership card numbers, names, home addresses, emails and phone numbers, sharing databases with the title that that included the usernames and passwords of all employees.

With most major UK grocers now owning loyalty systems containing customer data, cyber security for UK supermarkets is more important than ever to protect the public.

While the convenience giant has yet to publicly disclose the full details, the claim that personal data had been accessed is a red flag to consumers and regulators alike.

With so many supermarkets now holding expansive databases tied to loyalty cards, shopping habits, and even facial recognition systems in-store and at self-checkouts, the potential fallout from data loss is significant. These aren’t just shopping receipts, they’re digital profiles of consumer behaviour.

“Supermarkets aren’t soft targets because they’re careless,” says Northage. “They’re soft targets because of how much they hold and how much we rely on them. That alone makes them highly attractive to hackers.”

The third-party weak link

It’s not just in-house systems at risk. The attack on Blue Yonder, a major software supplier to Sainsbury’s and others, is still fresh in many minds.

The incident saw companies’ IT systems across the world go down, and in the UK, supermarkets such as Morrisons which faced turmoil as it was forced to provide solutions to an issue it didn’t cause.

Northage says it served as a wake-up call that retailers are vulnerable through their partners, logistics platforms, data analytics providers, and payment processors. The chain is only as strong as its weakest node. He adds that, for supermarkets heavily integrated with third-party tech, particularly those using outsourced AI, loyalty app platforms, or demand forecasting tools,  a breach upstream could cascade downstream in minutes.

The true cost of a breach: fines and fallout

M&S has reportedly informed the Information Commissioner’s Office (ICO) of its situation, as required within 72 hours of becoming aware of a breach involving personal data.

If it’s found that proper safeguards were lacking, fines could follow. Under GDPR, retailers face fines of £17m or up to 4% of global turnover. For a major grocer, that’s not pocket change.

Beyond fines, there’s also the risk of enforcement investigations, legal claims, reputational harm, and longer-term erosion of customer trust. While headlines focus on share price drops or ransom payments, the true cost of a cyberattack is often less visible. Examples include, disrupted supply chains, lost staff hours, brand damage, regulatory scrutiny, churned customers and long-term security investments.

And, Northage adds, those costs don’t simply vanish when the systems come back online.

It is understood analysts predict that the disruption could be costing M&S tens of millions of pounds, with Shore Capital estimating that the retailer is losing up to £25m a week in online clothing sales, and £15m for every 10% of food products it cannot sell due to shortages.

M&S’s ransomware attack has led to stock availability disruptions, with reports of empty shelves at some of its locations

Today (6 May), despite entering the third week of its cyber incident, M&S announced it was forced to pause the sale of some of its meal deals due to stock availability issues.

As a retailer with prime ‘food-to-go’ stores in locations such as train stations, airports and petrol forecourts, such a hit to stock availability is significant.

A spokesperson for M&S commented: “Customers can still buy meal deals in our rail station stores but there are pockets of limited availability for some items. We are working hard to continue getting our products into stores.”

A sector alert – what should other supermarkets do now?

For UK grocers, complacency is no longer an option. Experts warn that many attackers try for months before finding a way in to a system, so recent breaches may not be a sudden wave, but the result of long-simmering vulnerabilities finally surfacing.

Luxury retailer Harrods’ announced its own cyber attack late last week. While it is a new victim of the recent wave of ransomware attacks, without proper reinforcement it certainty won’t be the last.

The hacking group which claims to be behind the Co-op breach told the BBC that it had “put UK retailers on the Blacklist”, while the National Cyber Security Centre (NCSC) has warned the sector that hackers launching cyber attacks at British retailers are imitating IT help desks to break into organisations. It published guidance to help crackdown on such activity.

Northage says retailers must now reassess their data governance, looking at who holds what, and how securely. Likewise, incident response protocols must be reconsidered; are comms teams ready to respond in real-time without missteps?

Then there are their third-party risks: Are suppliers and platforms adequately vetted? Finally, the task of juggling customer transparency plans must be checked; can they swiftly reassure without misleading, or overpromising, during an incident.

As Northage says, “It’s not about whether you can be attacked. It’s about when and how well you respond. Retailers have to treat IT security not as a one-off project, but as a continuous investment.”

The retail sector may be no stranger to shocks – from Covid to supply chain crises, but cybercrime brings a uniquely invisible and evolving threat. The M&S and Co-op breaches serve as a timely reminder that in a world where data is currency, supermarkets are more than sellers of food, they are vaults of information. And vaults must be secured.

FeaturesNewsSupermarkets

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

FeaturesNewsSupermarkets
Yasmeen Louis

Share:

After M&S and Co-op’s cyber hacks, who’s next?

Yasmeen Louis
M&S Co-op We sat down with a cyber legal expert, law firm Walker Morris regulatory and compliance team partner, Andrew Northage, to discuss the shockwaves these attacks have sent through the grocery sector, what grocers could be next, and why cybercrime is retail's silent crisis.

The grocery sector is under siege, or so it seems.

In the space of a week, two of the UK’s most recognised supermarkets – M&S and Co-op – have fallen victim to significant cyber attacks, disrupting operations, triggering consumer unease and forcing many across the sector to ask a pressing question: who might be next?

While cyber threats are hardly new to retail, the speed, scale, and successive nature of these recent attacks have amplified concerns about the sector’s preparedness, particularly when customer loyalty data, online infrastructure and third-party systems form such a critical part of supermarkets’ daily operations, making them “soft targets”.

We sat down with a cyber legal expert, law firm Walker Morris regulatory and compliance team partner, Andrew Northage, to discuss the shockwaves these attacks have sent through the grocery sector, why cybercrime is retail’s silent crisis, and which grocers could be next.

M&S: From transparency to turmoil

Marks and Spencer (M&S), while initially widely praised in the early hours of its crisis for a “proactive and transparent” response, is now learning how fast-moving cyber fallout can outpace corporate communication.

Last week, its CEO was quick to reassure the public that business was “back to normal”. The message landed well among the public on social media, who applauded the speed of the statement, and its honesty.

A statement M&S released to the public last week.

But within days, those promises had to be scaled back. Click & collect and online orders were suspended. Gaps appeared on shelves. Warehouses were disrupted and staff sent home. Remote-working employees were locked out of internal systems. And perhaps most damning in the eyes of the market; over £700 million was wiped off M&S’s value in under a week.

According to Andrew Northage, these cascading effects reveal the true core of modern cybercrime: A successful attack can compromise logistics, marketing, staffing, customer trust, and investor confidence – all in one fell swoop.

Co-op: the customer data risk

Meanwhile, the Co-op’s breach took a different but no less worrying form: the compromised security of its 20 million Co-op members’ personal data.

Last week, a spokesperson for the business, which consists of 2500 supermarkets, 800 funeral homes, an insurance division and around 70,000 staff, notified that the attack had exposed “data relating to a significant number of our current and past members”.

Yet, while Co-op has reassured the public that there was “no evidence that customer data was compromised”, the anonymous group behind the attack reportedly alerted the BBC late last week that it had accessed more data than Co-op had declared.

Speaking to the publication, the hackers said: “Hello, we exfiltrated the data from your company. We have customer database, and Co-op member card data.”

Ransomware group Dragonforce then allegedly sent the BBC a sample of 10,000 customers data including Co-op membership card numbers, names, home addresses, emails and phone numbers, sharing databases with the title that that included the usernames and passwords of all employees.

With most major UK grocers now owning loyalty systems containing customer data, cyber security for UK supermarkets is more important than ever to protect the public.

While the convenience giant has yet to publicly disclose the full details, the claim that personal data had been accessed is a red flag to consumers and regulators alike.

With so many supermarkets now holding expansive databases tied to loyalty cards, shopping habits, and even facial recognition systems in-store and at self-checkouts, the potential fallout from data loss is significant. These aren’t just shopping receipts, they’re digital profiles of consumer behaviour.

“Supermarkets aren’t soft targets because they’re careless,” says Northage. “They’re soft targets because of how much they hold and how much we rely on them. That alone makes them highly attractive to hackers.”

The third-party weak link

It’s not just in-house systems at risk. The attack on Blue Yonder, a major software supplier to Sainsbury’s and others, is still fresh in many minds.

The incident saw companies’ IT systems across the world go down, and in the UK, supermarkets such as Morrisons which faced turmoil as it was forced to provide solutions to an issue it didn’t cause.

Northage says it served as a wake-up call that retailers are vulnerable through their partners, logistics platforms, data analytics providers, and payment processors. The chain is only as strong as its weakest node. He adds that, for supermarkets heavily integrated with third-party tech, particularly those using outsourced AI, loyalty app platforms, or demand forecasting tools,  a breach upstream could cascade downstream in minutes.

The true cost of a breach: fines and fallout

M&S has reportedly informed the Information Commissioner’s Office (ICO) of its situation, as required within 72 hours of becoming aware of a breach involving personal data.

If it’s found that proper safeguards were lacking, fines could follow. Under GDPR, retailers face fines of £17m or up to 4% of global turnover. For a major grocer, that’s not pocket change.

Beyond fines, there’s also the risk of enforcement investigations, legal claims, reputational harm, and longer-term erosion of customer trust. While headlines focus on share price drops or ransom payments, the true cost of a cyberattack is often less visible. Examples include, disrupted supply chains, lost staff hours, brand damage, regulatory scrutiny, churned customers and long-term security investments.

And, Northage adds, those costs don’t simply vanish when the systems come back online.

It is understood analysts predict that the disruption could be costing M&S tens of millions of pounds, with Shore Capital estimating that the retailer is losing up to £25m a week in online clothing sales, and £15m for every 10% of food products it cannot sell due to shortages.

M&S’s ransomware attack has led to stock availability disruptions, with reports of empty shelves at some of its locations

Today (6 May), despite entering the third week of its cyber incident, M&S announced it was forced to pause the sale of some of its meal deals due to stock availability issues.

As a retailer with prime ‘food-to-go’ stores in locations such as train stations, airports and petrol forecourts, such a hit to stock availability is significant.

A spokesperson for M&S commented: “Customers can still buy meal deals in our rail station stores but there are pockets of limited availability for some items. We are working hard to continue getting our products into stores.”

A sector alert – what should other supermarkets do now?

For UK grocers, complacency is no longer an option. Experts warn that many attackers try for months before finding a way in to a system, so recent breaches may not be a sudden wave, but the result of long-simmering vulnerabilities finally surfacing.

Luxury retailer Harrods’ announced its own cyber attack late last week. While it is a new victim of the recent wave of ransomware attacks, without proper reinforcement it certainty won’t be the last.

The hacking group which claims to be behind the Co-op breach told the BBC that it had “put UK retailers on the Blacklist”, while the National Cyber Security Centre (NCSC) has warned the sector that hackers launching cyber attacks at British retailers are imitating IT help desks to break into organisations. It published guidance to help crackdown on such activity.

Northage says retailers must now reassess their data governance, looking at who holds what, and how securely. Likewise, incident response protocols must be reconsidered; are comms teams ready to respond in real-time without missteps?

Then there are their third-party risks: Are suppliers and platforms adequately vetted? Finally, the task of juggling customer transparency plans must be checked; can they swiftly reassure without misleading, or overpromising, during an incident.

As Northage says, “It’s not about whether you can be attacked. It’s about when and how well you respond. Retailers have to treat IT security not as a one-off project, but as a continuous investment.”

The retail sector may be no stranger to shocks – from Covid to supply chain crises, but cybercrime brings a uniquely invisible and evolving threat. The M&S and Co-op breaches serve as a timely reminder that in a world where data is currency, supermarkets are more than sellers of food, they are vaults of information. And vaults must be secured.

FeaturesNewsSupermarkets

Social

LinkedIn
RSS

SUBSCRIBE TO OUR DAILY NEWSLETTER

  • This field is for validation purposes and should be left unchanged.

Most Read

FeaturesNewsSupermarkets

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

RELATED STORIES

Most Read

Latest Feature

Menu

Please enter the verification code sent to your email: