Cyber Monitoring Centre estimates cost of UK retail attacks at £440 million

Ranks M&S and Co-op attacks as 2/5 on severity scale

Image:

M&S, the Co-op and Harrods were among the retailers to suffer cyber incidents through April and May

The UK’s Cyber Monitoring Centre describes April cyberattacks on M&S and the Co-op, which could have cost up to £440 million, as “narrow and deep.”

The UK’s Cyber Monitoring Centre (CMC) estimates the total cost of the cyberattacks on the country's retail sector earlier this year is between £270 million and £440 million.

Launched in January last year, the CMC aims to help businesses by categorising cyber events on a scale of zero to five, based on their scale and financial impact.

The organisation ranked the spate of retail attacks in April as a category 2 systemic event. This is the first time it has categorised a contemporary incident – until now it has only provided theoretical assessments based on historic attacks.

Image

Description

The category 2 ranking “reflects [the attack’s] substantial financial impact and the economic reverberations across third-party suppliers, franchisees, and supporting services,” says the CMC

The attacks, which have been linked to both the Scattered Spider and DragonForce groups, disrupted activity at Marks & Spencer and the Co-op starting over the Easter weekend.

Luxury department store Harrods, as well as Dior, Adidas, Cartier and NorthFace suffered their own breaches in May but the CMC didn’t include those attacks in its analysis, due to the low level of information available about them.

The impact of the M&S/Co-op attack was “narrow and deep,” says the CMC, with “substantial financial impact and...economic reverberations across third-party suppliers, franchisees, and supporting services.”

Most of the financial impact came from business disruption, rather than direct costs associated with the attack.

M&S said in its financial results, published on 21^st May, that it expects the full financial cost to be around £300 million. The CMC’s estimate is independent of, though broadly in line with, that estimate. It does not include ransom payments as there is no indication either retailer paid one.

Last year’s CrowdStrike event, which would have been rated as category 3, was the opposite of the M&S/Co-op attack: a “shallow and broad” incident. It affected many companies but had limited impact on any single organisation.

The CrowdStrike outage was caused by a faulty sensor update; if it had been a malicious attack it could have been rated as category 4.

Hypothetically, an incident like NotPetya or WannaCry could have been ranked as category 5.

“We are yet to see a deep and broad category 4 or category 5 event impact the UK,” the CMC said.

“Had there been further widespread disruption in the sector, the categorisation could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale.”