The Scattered Spider/Dragonforce cyber attacks that struck Marks & Spencer and Co-op during the spring have been classed as a Category 2 cyber event on the UK Cyber Monitoring Centre’s (CMC’s) recently launched ‘hurricane scale’, with total costs likely to end up somewhere between £270m and £440m.
The CMC – an arm’s-length body set up by the insurance industry to assess the impact of cyber attacks on the UK and help organisations better manage their risk profiles, and backed by cyber experts including former NCSC lead Ciaran Martin – said that based on its incident categorisation matrix, the incident had had a “substantial financial impact” and resulted in “economic reverberations “across third-party suppliers, franchisees and supporting services”.
“The impact from this event is ‘narrow and deep’, having significant implications for two companies, and knock-on effects for suppliers, partners and service providers,” the team wrote in their assessment.
“This contrasts with a ‘shallow and broad’ event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to any one company was far smaller.”
The CMC said that while it has yet to book a Category 4 or 5 event in the UK, had the disruption extended more widely across the retail sector, the attack campaign might have been higher. In the event, of course, Scattered Spider’s campaign is known to have just two major retailers.
That said, the CMC did note a third attack on Harrods, and other retailers and retail-adjacent organisations reported to have experienced incidents in the past few months, but said it had to confine its analysis to the more widely reported M&S and Co-op incidents because there was a lack of information about the cause and impact of other events at the time.
Financial costs
In arriving at its figure of £270m to £400m, the CMC has drawn on a range of public and commercial data sources, including a figure of approximately £300m floated by M&S in May during its annual results call, and its own modelling.
The CMC said its figure might have been higher based on statements made by M&S of an anticipated July restart date for online shopping. However, the fact that the retailer has since stood up some of its online shopping model meant the CMC could pare back its estimates.
The total figure includes covering the costs of business interruption arising from lost sales opportunities, incident response and IT restoration costs, and legal and notification costs. It does not include any ransom payments as it is not known if any have been made.
Based on stats drawn from transactional data platform Fable Data, the CMC said that M&S saw a daily reduction in spend of 22% during the incident, with online sales dropping to essentially zero and in-store sales down 15% as the firm struggled to keep its Food Halls and other locations topped up. For Co-op, daily spend dropped by 11% during the first 30 days of the incident.
The CMC observed that M&S’ distinct own-label business model and a number of exclusive contracts with suppliers left it particularly vulnerable to supply chain effects, with suppliers struggling to reroute goods, particularly items relying on cold chain storage.
Turning to Co-op, the Fable data show daily spend dropped by 11% during the first 30 days of the incident. The CMC said that because Co-op is frequently the only bricks and mortar grocery chain in more isolated and remote parts of the country – particularly in the Highlands and Islands of Scotland – the incident demonstrated the broader social impacts of such cyber attacks.
“The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows. When systems fail, it is challenging to revert to manual processes,” said the team.
Preparing to fail
Looking into the future, the CMC said the Scattered Spider attacks had been an object lesson in preparedness for the retail sector, stressing the need to test business continuity and crisis response plans against ransomware attacks, including procedures for inventory management, and crisis communications.
As well as noting, naturally, the need for improved cyber hygiene and proper understanding of retailers’ exposure to third-party risk – likely how the M&S and Co-op incidents began – the CMC also said that retailers needed to consider that the costs of business interruptions can be extreme, and it is wise to ensure that capital, or adequate insurance protection, is available to cover cyber attacks.