Marks & Spencer turned its website back on this Tuesday, after forty-six days offline. The Co-op is still counting £206m in lost revenue, with the supply chain disruption rippling through rural stores. Harrods got off comparatively lightly, restricting in-store internet access for a few days. Three compromises, one threat actor, one ransomware family, one Easter weekend. The retail wave has settled. It is fair to be honest about what it cost.

The shape of the wave

Scattered Spider — the loose collective behind Caesars and MGM in 2023, behind several US healthcare incidents in 2024, now behind UK retail in 2025, working the same social-engineering-and-help-desk playbook the LAPSUS$ group taught the industry in 2022 — deployed DragonForce ransomware against M&S over Easter weekend. Customers first noticed glitches in contactless payments and Click & Collect on Saturday 19 April. By Monday 21 April, tills were down across the chain. M&S took the website offline on 25 April; it stayed off until 10 June.

The Co-op was hit days later, with attackers compromising the ordering and logistics systems that keep its rural-distribution model running. Empty shelves were the visible part. The invisible part was 6.5 million members whose data was touched.

Harrods confirmed an attack on 12 May. The response was rapid: in-store internet restricted, systems isolated, no extended public-facing outage. By industry standards, Harrods got the response right. By the standards Scattered Spider sets, Harrods was probably just lower down the target list.

Four arrests followed in July. Investigations are continuing.

The £300m number

M&S publicly disclosed an estimated £300m in lost operating profit attributed to the incident. The number is doing several jobs at once.

Some of it is sales not made during the forty-six-day online shutdown. Some of it is reputational recovery cost. Some of it is incident response, forensic, and regulator-facing work. Some of it is the cost of running parts of the business in degraded mode for weeks. The £300m is the headline; the breakdown is what makes it instructive.

Boards I have spoken to in the last month tend to fix on the £300m and ask whether their own firm could absorb a similar hit. That is the wrong question. The right question is whether the breakdown of their equivalent loss would look anything like M&S's, or whether it would be skewed differently — toward regulatory fines, toward customer-litigation exposure, toward supplier penalties for missed SLAs. The shape of the loss is firm-specific. The magnitude, less so.

The Co-op and the supplier-of-everything problem

Co-op's £206m loss is structurally different. Where M&S lost online sales, Co-op lost its capacity to distribute physical goods to its store estate. The compromise hit the ordering and logistics systems that decide what arrives where, in what quantities, by which van. In rural areas particularly — where Co-op is sometimes the only nearby food retailer — the gap between empty shelves and customer impact was zero.

The lesson here is not unique to Co-op. It is that operational technology adjacent to retail logistics is increasingly part of the cyber attack surface, and that the firms most exposed are the ones whose physical operations depend on real-time data flows from systems that look more like ERP than POS. Manufacturing, logistics, fulfilment, and grocery are all in the same exposure category.

What the three have in common

The three firms had broadly comparable security postures going into Easter 2025. They had EDR. They had identity controls. They had MFA. They had IR plans. They were not, by industry standards, weak.

This is the part of the story UK boards have most struggled with. The defensive posture did not predict the outcome. Scattered Spider chose targets and worked them. Defenders did not choose to be chosen.

The implication is uncomfortable: being as secure as your peers is no longer a defence. The threat actor is selecting, the actor is professional, and the actor is well-resourced enough to spend weeks inside the perimeter learning the environment before deploying the ransomware payload. The pre-encryption dwell time on the M&S incident was reportedly weeks. There is no posture that makes you uninteresting to a well-resourced operator who has decided you are interesting.

For boards

Three questions worth taking into the next meeting.

If we suffered an M&S-shaped outage tomorrow, what would the £300m equivalent look like for us? Sales lost, customer trust eroded, regulator-driven costs, supplier penalties — show me the breakdown. This is not a stress test. It is the work of writing down what the firm would actually be defending against.

Where is our equivalent of Co-op's logistics layer — the operational technology that, if compromised, immediately stops physical operations rather than just digital ones? In most firms this layer is owned by Operations rather than IT, and is not on the cyber risk register. It should be.

If a Scattered-Spider-class operator decided we were the next target, what would change about how they could move through our environment in the first two weeks? Are we confident we would notice them inside that window? If the honest answer is no, the next investment decision is detection capability, not perimeter hardening.

The closing observation

The retail wave was not a one-off. Scattered Spider is one of perhaps a dozen comparable groups operating with similar capabilities. The reason they chose UK retail in spring 2025 is not knowable from outside. The reason they will choose another sector this year is. They will choose it because it has the same characteristics: brand value attached to operational continuity, complex digital supply chains, and the kind of board that is more comfortable signing off a cyber insurance renewal than commissioning a tabletop on a forty-six-day outage.

The firms that survive the next wave will be the ones that have already had the uncomfortable conversation about what their £300m equivalent looks like.