This report does not constitute a rating action.

Cyber incidents are an increasingly prominent risk for retailers due to the continued growth of e-commerce and the digitalization of supply chains, operations, and customer-facing systems. U.K.-based supermarket and retailing chains Marks and Spencer PLC (M&S; BBB-/Stable/A-3) and the Co-operative Group Limited (Co-op; BB/Stable/--) are the high profile victims of the more recent cyber attacks in among our rated issuers in the retail sector.

The events, and the companies’ ongoing remediation efforts, raise questions about the susceptibility of retailers to cyber incidents and the efficacy of different responses and preventive strategies. Given the evidence that cyberattacks have become more prevalent in the retail sector, S&P Global Ratings presents here our responses to a selection of common questions from investors about these events and explains key cyber security risks faced by retailers.

Frequently Asked Questions

Why are retail and consumer businesses susceptible to cyber attacks?

Large retailers, such as supermarkets and national retail chains, have intricate and dispersed global supply and distribution chains. These are managed through multiple and distributed IT systems that coordinate logistic and warehousing networks, brick-and-mortar stores, and e-commerce sites. Retailers' resultant large attack surface exposes them to vulnerabilities, notably due to the multitude of vendors and third-party providers involved in their operations, their systems, and their technology.

Cyber criminals view retail organizations as attractive targets due to the large quantities of sensitive data they often possess. In addition to significant volumes of customer and personal data, the growth of loyalty and store card programs means retailers often gather information on clients' behavior (for use in targeted promotions), including shopping habits, consumption patterns, and favored brands.

Customer trust is key to retailers' success, particularly given increasing omnichannel competition and their weaker margins. Consumers' range of retailing choices and often limited loyalty means that even small setbacks can lead to significant revenue loss due to switching.

Data breaches can result in regulatory action and fines, brand or reputational damage, lawsuits, and disruption to supply chains as well as online and in-store operations. Retailers' cyber issues have been increasingly posted on tracked data leak sites (DLS), according to Mandiant Inc., a U.S. cyber security group owned by Google LLC. That trend appears designed to pressure targets to pay ransoms. Retail organizations accounted for 11% of DLS victims in 2025 thus far, up from about 8.5% in 2024, and 6% in 2023 and 2022.

The recent cyber attacks on U.K. retailers highlight the ongoing challenges businesses face in safeguarding systems against increasingly sophisticated cyber threats and underscore the importance of rapid response strategies in mitigating potential damage.

What is the impact of the cyber attacks on M&S and Co-op?

The breach at M&S has disrupted services, including online operations and trading at some stores. M&S decided to pause sales on its "M&S.com" websites and apps, although customers can still browse its product range online. While personal customer data has been taken, M&S has stated that the data does not include usable payment or card details (which it doesn't hold on its systems) or account passwords, and there is no evidence that the data has been shared (see "M&S Ratings Not Currently Affected By Significant Cyber Incident Given Headroom Under Credit Metrics," May 13, 2025).

Since the incident, food sales have been impacted by reduced availability, although this is improving. The company also incurred additional waste and logistics costs, due to the need to operate manual processes. In the fashion, home and beauty segment, online sales have been significantly affected by the necessary decision to pause online shopping. However, management has indicated that stores have proven resilient. The company expects online disruption to continue through June and into July as it restarts, then ramps up operations.

Within days of the first announcement of the M&S cyber attack, the Co-op reported that it was experiencing sustained malicious attempts by hackers to access its systems. The group later confirmed that hackers had accessed one of its systems and extracted data, including Co-op Group members’ personal data, such as names and contact details. The theft did not include members’ passwords, bank or credit card details, transactions, or information relating to the Co-op Group products or services provided to members or customers.

Co-op also said it had preemptively shut off some key systems, resulting in limited supply chain disruption (including stock availability issues) and disruption to some back-office and call center services.

How did the cyber incidents affect the credit profiles of M&S and Co-op?

At the time of writing, M&S’s online retailing operation remains closed. Online sales account for about one-third of M&S’s higher-margin fashion, home and beauty sales, meaning the impact of the attack is significant.

M&S said, on May 21, it anticipates a £300 million (about $400 million) hit to operating profit in the current fiscal year, to March 2026. That equates to about one-third of its total operating profit before adjusting items in fiscal 2025 (ending March 29, 2025) and was significantly above market expectations. M&S said it hopes to significantly offset the impact of the loss through management actions, cost reductions, and insurance recovery.

Before this incident, we forecast group adjusted debt to EBITDA of 1.5x-2.0x, and funds from operations (FFO) to debt of 40%-45% for the fiscal year 2026. Based on the group's stronger than expected performance in fiscal 2025 and company announcements, we expect M&S has sufficient headroom to support its current credit quality as we note that the downgrade threshold for the retailer is about 3.0x for debt to EBITDA and below 30% for FFO to debt.

The Co-op group has not announced an estimate of the impact of its cyber breach on profit or a timeline to full recovery. We believe that while Co-op recovered all forms of payments at its stores and brought back online its stock ordering systems, the full recovery of supply chain logistics for its network of over 2,300 Co-op stores (in addition to its Nisa partner stores) will take some time.

Co-op's stores, which are largely of the convenience format, require higher logistics density per store in supplying and restocking compared with supermarkets and hypermarkets. However, the reported deterrence of a ransomware attack and Co-op's limited exposure to online sales (which account for about 6% of total sales) will likely contain the hit to its revenues, stemming from reduced product availability in stores, and may lessen the financial impact. Co-op’s margins are already at the lower end of its rated retail peer group and prior to the cyber event, the forecast S&P Global Ratings-adjusted EBITDA margin for Co-op was less than 5%.

We will continue to monitor the scale of the impact on sales and the costs related to recovery, additional logistics, legal fees, and consequently, the implications on M&S’s and Co-op's margins, cash generation, and liquidity.

The ultimate effects of the cyber events remain to be seen given ongoing execution risks around the companies’ ability to restore their systems and operations in a timely manner. The companies could also experience increases in:

• Labor costs, due to additional manual processes such as price checks and inventory tracking.
• Food waste and handling costs, given the high share of fresh food and perishable groceries.
• Legal and advisory fees including the engagement of external cyber experts.
• Parallel running of multiple systems with manual intervention during the recovery process.

We also expect retailers will increase investment in cyber security and related infrastructure and tighten internal governance around data security.

We will continue to monitor the potential effects of cyber security breaches on the retailers' credit quality--including due to unfolding events, operational recovery and resilience, and the evolution of consumers' perceptions of the retailers. We consider that the cyber attacks came at a challenging period for the U.K. retailing sector, which is contending with soft consumer sentiment, a labor market showing signs of weakness, ongoing labor and input cost headwinds, and wider macroeconomic uncertainties. While the warm U.K. spring will likely prove favorable to high street footfall and sales, disruptions to product availability in stores, will lead to customers switching to competitors.

Which other rated retailers in Europe have been recently affected by cyber events?

Other retailers that are known to have been affected by cyber events include:

Koninklijke Ahold Delhaize N.V. (BBB+/Stable/--), a Netherlands-based multinational food retailer with operations in the U.S. and Europe. It said, on April 22, 2025, that an internal security investigation had uncovered the theft of some Dutch staff data during a cyber attack on its U.S. business systems in November 2024. The company had to take some systems offline to deter further attacks and experienced some supply disruption (at the time) to U.S. operations, including some pharmacies and e-commerce businesses.

Morrisons , another large U.K. grocer and supermarket chain, rated under Market Holdco 3 Ltd. (UK) (B/Stable/--), was affected in November 2024 by the cyberattack on Blue Yonder, a firm providing end-to-end supply chain management software. The attack resulted in a period of disruption that affected stocking accuracy, availability, waste, and forecasting.

Pepco Group N.V. (BB-/Negative/--), one of the largest discount store operators in Europe and the owner of Poundland, was the target of a phishing attack in its Hungarian business in February 2024. The incident led to a loss of about €15.5 million in cash, though, according to the company, it did not compromise customer, supplier, or staff data.

Metro AG (BBB-/Negative/--), Germany-based and Europe’s largest food wholesale and delivery operator. It suffered a cyber attack in October 2022 that significantly affected its sales and margins. The attack also led to the theft and publication of personal data from current and former staff and job applicants, including contact details, date of birth, shift and deployment plans, and (in rare cases) pictures. Metro’s profitability continues to be affected by increased IT spend in addition to other costs headwinds.

Is there a typical playbook for attacks on retailers?

Attackers have typically used social engineering to gain access to retailers' systems. Those tactics include:

• Phishing, usually via emails that seek to convince the recipient to undertake a compromising activity such as clicking on a malicious link or giving out a password.
• Multifactor authentication (MFA) fatigue, whereby an attacker generates numerous MFA authentication requests in an effort to entice a recipient to confirm their identity and thus provide an attacker with unauthorized access to accounts and data.
• Impersonating IT personnel to trick legitimate system users into providing credentials or remote access to computers.

Understanding attackers' aims helps targets and cyber security providers to assess threats and the likely outcomes of a breach. For example, ransomware groups are likely to conduct operations in a way that maximizes the likelihood of payment, meaning they will:

• Often encrypt data and withhold the means to unlock it until payment is received.
• Use extortion to coerce victims into making payments by threatening to leak data.

While full details of how the M&S and Co-op attacks occurred are not yet available, M&S said its attackers gained access via a third party. Verizon, a U.S. telecommunications company, noted in the 2025 edition of its annual "Data Breach Investigations Report" that the percentage of breaches involving a third party had doubled year-on-year to 30%, for the 12-months to the end of Oct. 31, 2024.

Are there any notable cyber attack trends?

Ransom is an increasingly prevalent driver of cyber attacks. Verizon noted, in its 2025 report, that attacks involving ransomware increased by 37% year-on-year and were present in 44% of all breaches that Verizon reviewed, up from 32%.

That growth trend appears to be continuing. Ransomware attacks increased significantly over the first quarter of 2025, according to IT security services provider Checkpoint Software Technologies, which said that ransomware groups collectively reported 2,289 victims, up 126% on the number disclosed in the same period in 2024. Checkpoint also noted that the U.S. accounted for about 50% of reported victims, while most publicly listed companies that were targets came from Western, developed nations--likely reflecting a perception that they have greater financial resources and are more likely to pay ransoms.

IBM noted in its "Cost of a Data Breach Report 2024" that the average cost of a retail sector breach was $3.48 million, up from $2.96 million in 2023. That was slightly lower than the global average cost of a breach, at $4.88 million.

How are issuers across the wider retailing sector responding to cyber security threats?

For retailers with complex supply chains and a reliance on accurate stock forecasting for optimal inventory risk, preemptively shutting down key IT systems in response to an attack is a difficult call to make. The result of switching to a manual system is generally the self-imposition of impaired inventory capabilities, while maintaining potentially compromised IT systems risks facilitating the spread of malware to sensitive platforms such as point-of-sale (POS) systems and customer databases (which risk data exfiltration and thus ransomware threats).

We think that decisions relating to the timing of taking systems offline, and which systems to take offline, can determine the speed of recovery post-attack. And we note that the faster an affected company recovers, the less likely it is to suffer reputational damage and lose customers.

Strong cyber security protocols typically include a comprehensive backup program, including data and system configurations and encryption suited to a business's requirements--including at least one format that does not require continuous access to the network.

Business Continuity Plans (BCP), which are regularly tested against possible scenarios, can also aid in both response to and recovery from cyber attacks. The U.S.'s National Institute of Standards and Technology defines BCP as a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption. IBM noted, in its 2024 report, that 70% of organizations subjected to a cyber breach experienced significant or very significant business disruption, while only 1% described the disruption as low.

Writer: Paul Whitfield

Related Research

• Bulletin: M&S Ratings Not Currently Affected By Significant Cyber Incident Given Headroom Under Credit Metrics, May 13, 2025
• Cyber Brief: U.S. Infrastructure Faces Evolving Threats And Federal Policy Uncertainty, May 20, 2025
• Cyber Risk Insights: Sovereigns And Their Critical Infrastructure Are Prime Targets, April 29, 2025
• Cyber Risk Insight: Poor Cyber Vulnerability Management Can Be A Governance Issue, Oct. 28, 2024
• Cyber Risk Insights: Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread, Oct. 25, 2023