Scattered Spider’s Retail Breach Was One Coordinated Hit, Not Two
▼ Summary
– Both M&S and Co-op were targeted in a single, coordinated cyberattack in April 2025.
– The attackers, known as Scattered Spider, used social engineering to trick helpdesks and gain access.
– Financial damages are estimated between £270M and £440M ($343M–$592M), with M&S hit hardest.
– The UK classified it as a “Category 2” incident, signaling its broader impact on national retail.
– Google and other firms are warning that Scattered Spider may now be focusing on U.S. targets
When Marks & Spencer and Co-op experienced widespread outages this past April, many assumed it was coincidence. New findings suggest otherwise.
According to the UK’s Cyber Monitoring Centre, both attacks were in fact part of a single, coordinated cyber event attributed to Scattered Spider, a threat actor known for its social engineering schemes and its flair for disruption. The attackers didn’t exploit a technical flaw—they manipulated helpdesk staff into resetting credentials. From there, they had all they needed.
A Quiet Breach With Loud Consequences
The financial toll is eye-watering. Combined losses from the attack are estimated to be between £270M and £440M (\$343M to \$592M). M\&S alone reportedly lost over £60M in profit and saw £1 billion wiped from its market value, largely due to a six-week suspension of its online operations. The Co-op wasn’t spared either: shelves were left empty, logistics were slowed, and its membership network of over 4 million was disrupted.
Despite their differences, both brands were targeted in the same way—through their people. Helpdesk impersonation remains one of Scattered Spider’s trademarks, and this time, it worked at scale. The group, also known by the alias UNC3944, has shown a repeated ability to outmaneuver legacy security setups using these deceptively low-tech methods.
From Retail Chaos to Strategic Wake-Up Call
What makes this attack notable isn’t just the financial damage. It’s the classification. The UK’s cyber authority has labeled it a “Category 2” cyber event, a status usually reserved for incidents with national or cross-sector impact.
It also shines a light on the growing risk of highly agile ransomware gangs targeting industries that rely on tightly integrated supply chains. Retailers, in particular, are vulnerable—one crack in the backend and the whole system slows, from inventory to checkout.
Security insiders say this wasn’t an isolated play. Google’s cybersecurity teams have since warned U.S. companies about ongoing campaigns tied to the same group. “Scattered Spider is one of the most active and adaptive social engineering threat actors currently in operation,” said Mandiant in a statement following the event.
Their operations aren’t splashy. No zero-day exploits. No sophisticated malware payloads. Just patient, well-crafted interactions that pry open doors left unguarded.
