The Cyberattack That Started With a Phone Call: What M&S and Co-op Reveal About Incident Response

Major cyberattacks are often imagined as highly technical events: a hidden vulnerability, a sophisticated exploit, or a hacker forcing their way through a company’s digital perimeter.
But the cyberattacks that disrupted Marks & Spencer and the Co-op in 2025 appear to have started in a much more ordinary way.
With a phone call.
According to public statements, parliamentary evidence and incident analysis, attackers impersonated legitimate employees and persuaded IT help desk staff to reset account credentials. Once those resets had been completed, the attackers were no longer trying to break in from the outside. They were logging in with access that appeared genuine.
It was a simple opening move, but the consequences were significant.
Marks & Spencer paused online orders for around six weeks, customer personal data was stolen, and recovery took months. The company initially guided that the incident could reduce operating profit by approximately £300 million before mitigation.
The Co-op was also breached, with the personal data of all 6.5 million current and former members taken. Distribution and logistics were disrupted, and parts of the business had to fall back on manual processes.
However, the two incidents played out differently in one critical area. At M&S, ransomware was deployed. At the Co-op, defenders detected the warning signs early enough to take key systems offline before ransomware could detonate.
That contrast sits at the heart of the story. Both organisations were hit. Both suffered data loss. Both experienced disruption. But the speed of detection and the willingness to contain the attack appear to have made the difference between a serious incident and a much longer operational crisis.
A wider wave against UK retail
The M&S and Co-op incidents formed part of a wider wave of cyberattacks against major UK retailers in April and May 2025, which also included Harrods.
M&S was the most visibly disrupted. The retailer first identified problems over the Easter weekend, when customers began experiencing issues with contactless payments, gift cards and click-and-collect services. A few days later, the company paused online ordering across its UK and Ireland websites and apps.
Behind the scenes, ransomware had been deployed on company systems. Online clothing orders did not resume until June, while click-and-collect, the last major customer-facing service to return, was restored in August.
The Co-op’s incident followed a different path. Its intrusion began when a recently reset staff account started behaving maliciously. The organisation’s monitoring reportedly flagged the activity within minutes. Over the following days, the Co-op restricted remote access, locked accounts and brought in forensic support.
When defenders later saw signs that ransomware could be about to deploy, the Co-op made the difficult decision to disconnect large parts of its network.
That decision caused disruption across ordering, depots and logistics. But it also prevented the ransomware stage of the attack from being reached.
For any organisation reviewing its own cyber resilience, that difference matters.
The weak point was not the firewall
The most uncomfortable lesson from the M&S and Co-op cyberattacks is that the initial weakness was not necessarily a missing patch, an exposed server, or a failed firewall.
It was the process for proving identity before an account reset.
In both incidents, attackers reportedly targeted help desk processes. They impersonated employees, persuaded support teams to reset credentials and then used those credentials to access the network.
That matters because many organisations still treat password and multi-factor authentication resets as routine administration. In reality, a reset can be a critical security moment.
Once an account has been reset, security systems may see a successful login from a recognised user. The username is valid, the password works, and the authentication process may appear legitimate. But if the reset itself was obtained through deception, the attacker has effectively bypassed the front door by persuading someone else to open it.
That is why help desk procedures deserve the same scrutiny as more traditional technical controls.
A phone call should not be enough to reset access. Security questions may not be enough either, especially if answers can be gathered from internal data, social media or previous breaches.
For sensitive resets, organisations should consider stronger checks such as call-backs to numbers already on file, manager approval, pre-agreed verification steps, or additional controls for privileged accounts.
The same standard should apply to outsourced IT providers. If a third party can reset access into your environment, then its process is part of your security perimeter.
What the Co-op response shows about containment
The Co-op was still breached. Data was still stolen. The disruption was real.
But early detection changed the trajectory.
When the reset account began behaving maliciously, monitoring reportedly picked up the activity quickly. When defenders later identified signs that ransomware could be about to deploy, the organisation chose to take key systems offline.
That decision came at a cost. Parts of the business were disrupted, logistics were affected, and manual processes had to be introduced. But the ransomware did not detonate.
This is what effective containment can look like in practice. It is rarely clean, rarely comfortable, and often creates difficult decisions for leadership. But in a ransomware scenario, time matters.
A delayed decision can give attackers the opportunity to encrypt systems, steal more data, destroy backups or increase pressure on the organisation.
That is why incident response cannot be treated as a purely technical function. The decision to disconnect systems is a business decision as much as an IT decision. Someone needs the authority to make that call, and they need to know they have that authority before the crisis begins.
The incident response gap
The comparison between M&S and the Co-op exposes a broader issue for many organisations. Incident response plans may exist, but they are not always tested under realistic pressure.
A plan may say that systems can be isolated, but it still needs to be clear who makes that decision. It may say that backups can be restored, but the organisation needs to know when they were last tested. It may say that customers will be notified, but someone must approve the message. It may say the business can continue manually, but that process needs to have been rehearsed.
These questions matter because cyber incidents unfold in uncertainty.
In the early hours of an attack, organisations rarely know exactly what has happened. They may not know which systems are compromised, what data has been accessed, whether ransomware is about to deploy, or whether the attacker is still inside.
That is why tabletop exercises are increasingly important. They bring together technical teams, leadership, legal, communications, operations and third-party providers to test how decisions would be made during a live incident.
The goal is not to predict every possible attack. It is to reduce confusion when one happens.
Is your incident response plan ready for a real attack?
Use our Incident Response Checklist to review the key decisions, roles and recovery steps your organisation should have in place before a cyber incident occurs.
Five lessons for UK organisations
The M&S and Co-op cyberattacks offer practical lessons for organisations far beyond the retail sector.
First, password and MFA reset processes need to be reviewed. No reset should be approved based on a phone request alone, particularly for privileged users.
Second, privileged accounts need stronger protection. Administrator access should be separated from everyday work, limited to those who need it and monitored carefully.
Third, organisations should move towards phishing-resistant MFA where possible. Attackers have become skilled at bypassing weaker forms of authentication through social engineering, prompt fatigue and reset abuse.
Fourth, incident response plans need to be rehearsed. A plan that has never been tested is not a plan in any meaningful sense; it is only a document.
Fifth, recovery needs to be proven. Backups should be protected, separated from the live environment and regularly tested through restoration exercises.
These are not abstract recommendations. They map directly to the weaknesses and response decisions seen in the retail attacks.
Resilience is built before the incident
The M&S and Co-op cyberattacks are a reminder that cyber resilience is not measured only by whether an attacker gets in. It is measured by what happens next.
How quickly can suspicious activity be detected? Who has authority to disconnect critical systems? Can the business continue operating manually? Are backups recoverable? Can the organisation explain what happened to customers, regulators and staff?
The next major cyber incident may not start with malware. It may start with someone asking for help.
For business leaders, the message is clear: review the process before attackers do.
At TechForce Cyber, we help organisations strengthen cyber resilience through Cyber Essentials, ISO 27001 consultancy, incident response planning, tabletop exercises and wider cybersecurity support.
Related Articles
CONTACT US TODAY: