The U.K. Cyber Monitoring Centre (CMC) has classified the recent cyber attacks on major retailers Marks & Spencer and Co-op as a “single combined cyber event.” This assessment follows the April 2025 breaches that led to significant security disruptions for both companies, with damages estimated between £270 million ($363 million) and £440 million ($592 million).
The CMC noted that the same threat actor appeared to be responsible for both attacks, which exhibited similar tactics, techniques, and procedures (TTPs). A statement from the CMC emphasized the intertwined nature of the incidents: “Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event”.
Initial investigations revealed that social engineering tactics, particularly targeting IT help desks, were used to gain unauthorized access to systems. The notorious cybercrime group Scattered Spider, also known as UNC3944, has been linked to these intrusions. This group specializes in sophisticated social engineering attacks that involve impersonating company IT staff to facilitate breaches. The CMC described the impact of this event as “narrow and deep,” suggesting that it could have widespread ramifications for supply chains and partners connected to the affected retailers.
Moreover, the attacks formed a concerning pattern as Scattered Spider has recently shifted its focus to U.S. insurance companies. The Google Threat Intelligence Group (GTIG) warned, “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers”. With these insights, experts caution companies to bolster their cybersecurity measures as the threat landscape continues to evolve.
In related developments, Indian consulting giant Tata Consultancy Services (TCS) confirmed that it was not compromised during the Marks & Spencer attack. This announcement follows previous reports that speculated whether TCS systems might have been exploited in the cyberattack’s orchestration. The implications of these attacks extend beyond immediate financial costs, as they reveal a pressing need for improved security protocols across various industries.