Sunday Times has a piece looking into ransomware incident at Marks and Spencer. It's pretty good, goes into their contain and eradicate focus.

"By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off."

One error in the article - lack of recovery doesn't mean no ransomware paid. Paying is not quick restoration.

https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6

A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7

Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp.

M&S dispute this, saying they have robust business continuity plans.

https://news.sky.com/story/amp/mands-had-no-plan-for-cyber-attacks-insider-reveals-with-staff-left-sleeping-in-the-office-amid-paranoia-and-chaos-13361359

BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o

One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.

Co-op Group appear to be trying to course correct with their cyber incident comms.

They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should). Edit: they’ve started emailing members.

https://www.coop.co.uk/cyber-incident

It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments in some stores, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/

People are also taking to social media to post pictures of apparently emptying store shelves.

The Co-op website claims it is down to "technical issues".

Contactless payment has been fixed at all Co-op Group stores.

One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.

Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages.

The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/

@GossiTheDog Very valid point, i'll find the current way to nudge our editorial folks. Definitely an important distinction 👍🏻
Edit: Done

I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.

I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.

https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/

If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.

Online orders are still not working, and the store stock checker is disabled now.

Co-op have paused all non-essential products in stores https://www.retailgazette.co.uk/blog/2025/05/co-op-non-essential/

@GossiTheDog 😬

Every detail in this article is wrong. The M&S incident had nothing to do with hybrid working.

Marks and Spencer’s online shopping is still offline 3 weeks later. It is thought they have lost around £63m so far, excluding IR, BCP and ransom payment costs. https://www.drapersonline.com/news/ms-online-shopping-outage-enters-third-week

M&S had a significant amount of data stolen btw, but they’ve opted not to tell customers or staff.

The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.

They expect customers to start to see availability issues on shelves in the coming days.

https://www.thegrocer.co.uk/news/co-op-societies-hit-by-availability-issues-amid-ongoing-cyberattack-on-co-op-group/704305.article

For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.

As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.

https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.

Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html

Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):

“From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo

DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.

All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/

I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.

The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system

Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack

People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434

Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.

This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication

They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.

If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.

Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104

M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o

@GossiTheDog I can only hope this data breach is the kick up the arse needed to abolish the common practice of using date of birth as an (immutable!) security password. Once it’s public knowledge it’s beyond useless… it’s a liability. Especially in banks.

I will not be holding my breath on this one.

Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database). This one dates back to my May 2nd toot upthread re home addresses - at the time, they didn't specify home addresses.

Co-op Group have 5 open jobs left, with nothing posted for 11 days.

Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.

Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.

The Channel Islands Coop, which is different to Co-op Group, has been able to restock shelves by moving away from Co-op Group for supply distribution and moving to local suppliers. https://www.bbc.co.uk/news/articles/c3d4xvg3x1do

The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.

Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.

“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”

Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article

A look at supplies in stores today, after Co-op told ITV yesterday that stores were restocked 😅

And a video

Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.

https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article

Harrods say they are not asking customers to do anything differently at this point.

Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578

Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend

Marks and Spencer are still in containment

If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.

In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.

The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.

While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.

https://www.bbc.co.uk/news/articles/cwy382w9eglo

Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs

Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/

27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.

M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/

You may notice I said they had staff data stolen on May 9th in this thread.

For the record, the tools listed in this article aren't used by Co-op.

https://www.computing.co.uk/news/2025/security/five-cyber-tools-co-op-used-to-defeat-ransomware-attack

The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.

Google AI has ingested the article and now uses it to claim Co-op Group use the tools.