• Cyber Syrup
  • Posts
  • Combined Cyberattack on U.K. Retailers Classified as Major Systemic Event

Combined Cyberattack on U.K. Retailers Classified as Major Systemic Event

In April 2025, U.K. retailers Marks & Spencer and Co-op were hit by coordinated cyberattacks, now officially categorized as a “single combined cyber event” by the Cyber Monitoring Centre

June 23, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Combined Cyberattack on U.K. Retailers Classified as Major Systemic Event

In April 2025, U.K. retailers Marks & Spencer and Co-op were hit by coordinated cyberattacks, now officially categorized as a “single combined cyber event” by the Cyber Monitoring Centre (CMC), a U.K.-based nonprofit established by the insurance industry to track and classify significant cyber incidents.

Joint Attribution and Financial Impact

The CMC determined that a single threat actor was responsible for both breaches based on overlapping tactics, techniques, and procedures (TTPs), as well as the close timing of the incidents. Together, the events have been classified as a Category 2 systemic event, suggesting a widespread and high-impact disruption.

The estimated financial toll on both retailers and their associated networks ranges from £270 million ($363 million) to £440 million ($592 million). Notably, a separate cyberattack on luxury retailer Harrods, which occurred around the same time, was not included in this classification due to insufficient forensic and impact data.

Attack Vector and Suspected Actors

According to the CMC, the breaches began with social engineering tactics aimed at IT help desks—a growing attack vector in modern cyber intrusions. Attackers posed as legitimate internal employees to gain unauthorized access to sensitive systems and networks.

The Scattered Spider group (also tracked as UNC3944), an English-speaking threat actor within the broader cybercrime syndicate known as The Com, is suspected to be behind the attacks. This group is known for its highly targeted impersonation strategies and ability to infiltrate enterprises by deceiving support staff.

“The impact from this event is ‘narrow and deep,’ affecting two companies significantly and creating ripple effects across their suppliers, partners, and service providers,” the CMC stated.

Expanding Threats and Global Concerns

The campaign against U.K. retailers coincides with new intelligence from Google’s Threat Intelligence Group (GTIG), which warns that Scattered Spider has expanded its focus to U.S. insurance companies, using similar social engineering strategies.

“The insurance industry should be on high alert, especially for help desk and call center impersonation schemes,” said John Hultquist, Chief Analyst at GTIG.

Meanwhile, Indian tech services giant Tata Consultancy Services (TCS) confirmed it was not compromised in relation to the Marks & Spencer breach. TCS is, however, investigating internally whether its systems may have been indirectly leveraged during the attack.

Broader Ransomware Trends

This incident also arrives as groups like Qilin ransomware evolve their extortion tactics. Recent reports indicate Qilin is offering legal and media support to pressure victims into paying ransoms, a shift toward more sophisticated psychological manipulation in negotiations.