Someone impersonated an employee over the phone. Eight weeks later, a competitor upgraded its profit forecast.
On April 17, 2025, over the Easter weekend, someone called a third-party IT service desk that supported Marks & Spencer. The caller impersonated an M&S employee, answered a series of security questions correctly, and convinced the desk to reset credentials.
Within hours the attackers had access to M&S’s internal systems, and it took two days before M&S realized something was wrong. The first crisis meeting convened at 10 p.m. on April 19, by which point the attackers had already moved laterally through the infrastructure and deployed ransomware. What followed was the most expensive retail cyber incident of the year.
Online ordering went dark, in-store systems reverted to pen and paper, food halls ran low as automated stock management failed, and click-and-collect shut down entirely. M&S began restoring some online clothing orders in June, but the retailer did not fully restore its online operations until mid-August, nearly four months after the attack began.
The financial damage matched the operational disruption. In its half-year results, M&S reported that statutory pre-tax profits had collapsed from £391.9 million to £3.4 million, and at one point the attack had erased roughly £750 million from the company’s market value.
Those numbers tell one story. A competitor’s earnings report tells another.
What happened to the customers who couldn't wait
British retailer Next, one of M&S’s direct competitors, had entered the year guiding investors to expect roughly £1.07 billion in pre-tax profit. By October, the company had upgraded that forecast four times to £1.14 billion, accumulating nearly £70 million in additional profit expectations across the period of M&S’s disruption. In its earnings communication, the company cited “competitor disruption” as a contributing factor. A retail analyst told the BBC that “some of the success this year has certainly come from Marks and Spencer’s very challenged times.”
For nearly four months, M&S’s online customers could not reliably buy from M&S online, and they did not stop buying. They redirected their spending to whoever could fill the gap. The breach was not just a cybersecurity incident or an operational disruption. It was a market share event, and it appeared in a competitor’s earnings because that is where displaced customer spending ultimately lands.
Most breach cost calculations focus on incident response, regulatory fines, legal settlements, and direct fraud losses. The M&S case adds a category that rarely appears in those models and may in some circumstances dwarf them: the revenue your competitors capture while your systems are down, and the portion of those customers who discover they are perfectly comfortable shopping elsewhere. The Thales 2025 Digital Trust Index found that 82% of consumers would stop engaging with a brand following a data concern, and those customers do not file complaints or appear in breach notifications. They simply redirect their spending, quietly and permanently, to whoever earned their trust in the interim.
Same attacker, different outcome
Eight days after the M&S breach began, the Co-op Group suffered a remarkably similar attack. The same adversary, using near-identical social engineering techniques, impersonated a Co-op colleague to a service desk and successfully had credentials reset. Both organizations faced the same threat actor, the same method, and the same initial access vector: someone pretending to be an employee. It was a technique that ShinyHunters would later industrialize at scale in early 2026, calling employees at hundreds of target organizations and directing them to credential harvesting sites built to replicate internal SSO portals.
The outcomes diverged almost immediately.
Co-op’s internal defenses spotted malicious activity within minutes. Their security operations center was alerted by unusual account behavior, response measures launched within the hour, and because their infrastructure was heavily segmented as part of a broader zero trust strategy, the breach was contained to one specific zone. Critical services including online retail and payments operated on separate infrastructure, insulated from the compromise, and core customer-facing operations continued uninterrupted.
M&S did not detect the breach for two days. Legacy systems and tightly coupled infrastructure meant that containing the threat required bringing down broad sections of the environment, and although M&S reported that over 50% of systems were unaffected, the interdependencies between those systems made targeted containment impractical.
The divergence was not a story of one company being sophisticated and the other negligent. Both were large UK retailers with meaningful security investments. What separated the outcomes was detection speed, where minutes versus days determined the scope of compromise, infrastructure architecture, where segmentation versus coupling determined whether containment was surgical or sweeping, and rehearsal, where the Co-op’s regular war-gaming of cyber incidents at both board and technical levels meant the response playbook had been tested before it mattered. The combined financial impact of both incidents may ultimately reach £440 million, but the distribution of that damage between the two organizations could hardly be more uneven.
The second wave
Once the M&S breach became public, the impersonation problem compounded. The stolen customer data, including names, contact information, and order histories, became raw material for a secondary campaign. Customers primed to expect urgent communications from M&S about the incident became targets for fake breach notification emails, fraudulent “identity protection” offers, and phishing lures designed to look like legitimate company outreach.
The pattern is consistent across major retail breaches: the initial compromise exploits brand trust to reach employees, and the aftermath exploits the same trust in a different direction, generating a wave of impersonation attacks targeting the customers whose data was exposed. The initial phone call to a service desk and the fake breach notification email landing in a customer’s inbox are two expressions of the same vulnerability. Both succeed because the attacker is borrowing the credibility of a brand that the target has reason to trust.
This secondary damage does not appear in incident response cost estimates. It does not show up in insurance claims. But it extends the period during which customers associate the brand with risk rather than reliability, and it reinforces the behavioral shift that sent them to a competitor in the first place.
The Bottom Line
The M&S breach started with someone impersonating an employee and ended with a competitor upgrading its profit outlook. The Co-op breach started with the same impersonation and ended with a contained incident and uninterrupted customer service. The variable that separated those outcomes was not the sophistication of the attacker or the size of the security budget. It was detection speed, infrastructure design, and the organizational discipline to rehearse before the crisis arrived.
Key Takeaways
An attacker impersonated an M&S employee over the phone to a third-party IT service desk and convinced the agent to reset credentials. The breach went undetected for two days, during which attackers deployed ransomware that disrupted online operations from April through mid-August.
British retailer Next upgraded its profit forecast four times during the period of M&S’s disruption, from £1.07 billion to £1.14 billion, explicitly citing “competitor disruption.” Customers who could not buy from M&S redirected spending to competitors and in some cases did not return.
The Co-op detected malicious activity within minutes, compared to two days at M&S. Heavily segmented infrastructure contained the breach to one zone, and regular war-gaming at board and technical levels meant the response playbook had been tested before the crisis arrived.
Stolen customer data, including names, contact details, and order histories, becomes raw material for phishing campaigns impersonating the breached brand. Customers expecting legitimate breach notifications become targets for fake emails and fraudulent identity protection offers.
Most models account for incident response, regulatory fines, and legal settlements. The M&S case revealed that competitive revenue transfer, the spending customers redirect to rivals during prolonged outages, may represent a larger category of damage that appears in competitor earnings rather than breach disclosures.
