The notorious cybercrime group, Scattered Spider, is believed to be the architect behind the recent devastating cyberattacks on prominent UK retailers Marks & Spencer (M&S) and Co-op, with an estimated financial impact ranging from £270 million to a staggering £440 million ($363 million to $592 million). This assessment comes from the Cyber Monitoring Centre (CMC), a UK-based independent, non-profit body.
The CMC has classified the April 2025 incidents as a “single combined cyber event” due to the close timing, similar tactics, techniques, and procedures (TTPs) employed, and the singular claim of responsibility by one threat actor. While attribution efforts are ongoing, all indicators point to Scattered Spider, also known as UNC3944, a group notorious for its sophisticated social engineering tactics.
The primary vector of these attacks involved tricking IT help desks through advanced social engineering. Scattered Spider, known for leveraging its English-speaking members, reportedly impersonated company IT personnel to gain unauthorized access to internal systems. This modus operandi aligns with their established history of bypassing security measures by exploiting human vulnerabilities.
The fallout has been significant for both retailers. M&S experienced prolonged disruption to its online operations, including suspended online orders and issues with contactless payments and click-and-collect services. This led to a substantial hit on their stock market value and projected profit losses. Co-op also faced widespread disruption, with reports of compromised customer data affecting potentially millions of members.
The CMC has categorized this event as a “Category 2 systemic event,” indicating a “narrow and deep” impact with significant implications for the two affected companies and their associated suppliers, partners, and service providers.
In the wake of these attacks, Google Threat Intelligence Group (GTIG) has issued a warning that Scattered Spider has now shifted its focus to the United States insurance industry, urging companies to be on high alert for similar social engineering schemes targeting their help desks and call centers. This highlights the evolving and adaptive nature of such cybercriminal enterprises.
The M&S and Co-op incidents serve as a stark reminder of the critical importance of robust cybersecurity defenses, particularly in addressing the human element. Organizations are urged to strengthen verification protocols for IT help desk interactions, enhance network segmentation, and implement comprehensive employee training to counter the increasingly sophisticated social engineering tactics employed by groups like Scattered Spider.
