While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.
I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.
Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by Β£2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.
They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.
Co-op say they have largely completed recovery, and have removed the cyber attack banner and statement from their website
https://www.retailgazette.co.uk/blog/2025/06/co-op-cyber-attack/
I think they did a great job. They do call it a "highly sophisticated attack", which, frankly.. isn't true and may come out in open court later if the suspects are ever caught.
6 weeks from containment to "near full" recovery, for statto nerds like me who track this stuff.
M&S had their ransomware incident communicated via internal email - from the account of a staff member who works for TCS.
The way TCS work is you give them accounts on your AD.
https://www.bbc.co.uk/news/articles/cr58pqjlnjlo
Marks and Spencer have started partial online shopping again.
For statto nerds, around 7 weeks from containment to partial recovery
https://www.bbc.co.uk/news/articles/c4gevk2x03go
M&S still have no recruitment system, two months in.
TCS have told shareholders their systems were not compromised in the hack of M&S.
As an explainer here (not in the article): TCS IT systems weren't compromised. Their helpdesk service (they're AD admins at M&S) was used to gain access to M&S. They manage M&S IT systems.
https://www.reuters.com/business/media-telecom/indias-tcs-says-none-its-systems-were-compromised-ms-hack-2025-06-19/
Latest Marks and Spencer update is pretty crazy.
M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.
https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/
Ultra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
Marks and Spencerβs CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.
They are also rebuilding internal systems and hope a majority of that will be done by August.
Lesson: mass contain early. M&S didnβt. Co-op did.
https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/
17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman.
Pretend to be surprised.
https://www.bbc.com/news/articles/cwykgrv374eo
If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.
After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.
. @briankrebs@infosec.exchange has broken the story that the key member (and teenager) of LAPSUS$ runs Scattered Spider
https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/
Co-op finally admitted the entire membership database was stolen
I had this in the thread months ago, they originally tried to deny it entirely then tried to say βsomeβ data was accessed when they knew it was the whole thing.
https://www.bbc.co.uk/news/articles/cql0ple066po
Personally I think Co-op did a really good job getting out of that situation and minimising impact.
I definitely think if you have a LAPSUS$ style advanced persistent teenagers situation, tilt towards open and honest comms as those kids will use secrecy against ya. Itβs 2025, itβs okay to say you got hacked, people largely understand. Also, in IR, lawyers are usually stuck in 1980 advice - itβs just advice, they ainβt yo boss.
The people arrested as part of the Co-op and M&S hack investigation have been released on bail.
https://nation.cymru/news/four-people-bailed-after-arrests-over-cyber-attacks-on-ms-co-op-and-harrods/
Previously when this happened with LAPSUS$, they just continued hacking stuff.
I understand the people released have not been charged.
M&S still working on system recovery. https://www.bbc.com/news/articles/cewyyjdzql4o
Kevin Beaumont