The Importance of Cyber Incident Response: How M&S and the Co-op Responded to Crisis

Following on from our previous article, analysing the intense targeting of the UK’s retail sector - two of Britain’s most recognisable retail brands, Marks & Spencer and the Co-op, recently found themselves on the front lines of the UK’s growing cybercrime crisis. As cyber attacks targeting the retail sector continue to escalate in both frequency and complexity, the responses from these organisations have provided a revealing case study in cyber security crisis management.

While both attacks involved serious security breaches, the nature of the incidents and the way each retailer handled the aftermath could not have been more different. At PureCyber, we’ve analysed both responses to highlight critical lessons in containment, communication, and recovery - lessons every retailer should heed.

Two Breaches, One Message: No Organisation Is Immune

In April 2025, Marks & Spencer suffered a serious cybersecurity breach believed to be linked to a sophisticated SIM-swap attack. Threat actors reportedly manipulated mobile network authentication systems, seizing control of authorised credentials and exploiting internal trust structures to gain access to sensitive systems. The breach disrupted digital operations and led to a £650 million drop in market value, as stock shortages and transaction failures rippled through M&S’s supply chain and stores.

The Co-op, meanwhile, faced a separate attack involving ransomware. The breach disrupted point-of-sale systems across a number of retail branches, leading to widespread service outages. Initially, the Co-op indicated that customer data had not been compromised, but it was later confirmed that limited customer data was in fact accessed during the attack. Unlike M&S, the Co-op was able to avert deeper damage through swift system shutdowns and the activation of offline fallback procedures in-store.

Crisis Response: Transparency Versus Delay

One of the starkest contrasts between the two incidents was how each organisation approached public communication and internal containment.

Marks & Spencer appeared hesitant in its initial response. Confirmation of the breach was slow to emerge, and internal access controls remained active longer than advisable, increasing the window of exposure. It’s understood that the company prioritised internal auditing and technical investigations before issuing detailed public guidance. However, in an age of rolling news and viral social media, this delay led to confusion among customers and speculation in the press.

By contrast, the Co-op took a more decisive and transparent approach. Within 24 hours of detecting the incident, it had issued a public statement, shut down affected systems, and engaged with third-party forensic investigators. The organisation also began providing real-time updates to customers via social media and in-store communications, earning praise for its candour and composure under pressure.

“In cyber incident response, speed and clarity are critical. The longer you wait, the deeper the operational and reputational wounds” says Damon Rands, CEO of PureCyber.

Customer Assurance: Building (or Breaking) Trust

Effective crisis communication isn’t just about speed; it’s about empathy and accountability.

Marks & Spencer’s approach focused on internal stability first. While understandable, the lack of early updates left many customers feeling uninformed. Official guidance was eventually published, but only days after the incident, and without direct outreach to potentially impacted customers. The result: a growing trust deficit during a moment of reputational risk.

In contrast, the Co-op leveraged every channel at its disposal. Alerts were issued via its mobile app and in-store signage, while senior leadership took to social media to apologise directly to customers. The retailer also provided interim transaction support at affected branches and regularly updated the public throughout the recovery process.

“Trust is built - or broken - during a crisis. The Co-op’s approach to customer assurance was fast, visible, and responsible”, Rands comments.

Operational Recovery: Containment Makes the Difference

The Co-op’s success in limiting the spread of ransomware lay in its early decision to isolate compromised systems. This decisive move, though temporarily disruptive, prevented attackers from gaining access to core infrastructure and allowed the company to roll out phased recovery within 72 hours. Offline alternatives - such as manual tills - were activated quickly, minimising downtime in stores.

Marks & Spencer’s breach however, involved a more complex attack vector. The SIM-swap method used by attackers was deeply embedded in identity infrastructure, making it harder to detect and mitigate. As a result, the organisation reportedly continued operating several services while investigation and audit processes were still underway - potentially extending the risk window.

“Sometimes isolating systems early feels costly, but it's what saves you long-term” notes Rands.

What Retailers Must Learn: PureCyber’s Recommendations

As the threat landscape continues to evolve, the retail sector must move beyond reactive strategies. Based on our forensic analysis of these two high-profile breaches, PureCyber recommends the following best practices:

- Test Your Incident Response Plan
A playbook isn’t enough. Regular, scenario-based simulations must become part of organisational culture.

- Communicate Clearly and Promptly
Transparency is essential - even when full details aren’t yet available. Silence breeds mistrust.

- Rethink Identity Controls
Over-reliance on mobile phone-based authentication opens the door to SIM-swap attacks. Multi-factor authentication must include secure alternatives.

- Segregate Systems to Prevent Lateral Movement
Compartmentalise access and monitor system interdependencies. The fewer the links, the lower the blast radius of a breach.

- Put the Customer First During a Crisis
Customer experience doesn’t end at the checkout. Reassurance, apology, and support must be at the forefront during incidents.

“These are no longer rare events. They are business realities. Preparedness is not a project; it’s a mindset” concludes Rands.

The Shape of Things to Come

Retailers are facing a new era in which cyber attacks are not only likely - but inevitable. The experiences of M&S and the Co-op show that what matters most isn’t whether you’re breached, but how you respond. The Co-op demonstrated that with quick containment, transparent communication, and structured recovery, damage can be limited and trust preserved. Marks & Spencer, meanwhile, highlighted the dangers of delayed action and communication in an increasingly connected and scrutinised world.

For the retail sector, the message is clear: invest in your defences, prepare your people, and plan for resilience - not just reaction.

Follow this link to check out our full Cyber Threat Analysis of the UK Retail Sector

The Next Step: Unlock the Security & Financial Advantages of PureCyber Threat Exposure Management

How Can PureCyber Help?

The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR),Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.

PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.

Get in touch or book a demo for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.

Email: info@purecyber.com Call: 0800 368 9397