In 2025, a spate of high-impact cyberattacks struck prominent UK companies—Co-operative Group (Co-op), Marks & Spencer (M&S) and Jaguar Land Rover (JLR) among them—disrupting operations, exposing customer data, and triggering heavy financial losses.
These breaches reveal emerging attack strategies, gaps in corporate defences, and how cyber risk can now ripple across supply chains and national economies.
The incidents did not just affect balance sheets. Co-op customers encountered empty shelves, M&S shoppers were locked out of online services for months, and JLR’s factory lines ground to a halt, threatening thousands of supplier jobs.
Investigators later linked these cases to hacker groups using social engineering and ransomware, exposing systemic weaknesses in IT support systems and outsourcing practices.
With losses measured in the hundreds of millions of pounds, these cyberattacks have become a stark reminder that digital vulnerabilities can quickly spill into the real economy, compounding pressures in uncertain global times.
What went wrong: the incidents and their impacts
- Co-op (April 2025)
In April, Co-op disclosed that a “malicious” cyberattack forced it to shut down parts of its IT network to contain the breach.
That move crippled ordering and stock systems, causing widespread disruption across its more than 2,000 UK food stores and 800 funeral homes.
The company estimates a £206 million revenue loss in the first half of the year, and an £80 million hit to operating profit. It swung from a modest profit to a £50 million pre-tax loss over the same period.
Furthermore, Co-op later confirmed that personal data of all 6.5 million members was stolen (names, addresses, contact details). Financial data, they said, was not accessed.
- Marks & Spencer (April–August 2025)
Around Easter 2025, M&S was forced to disable its online ordering, mobile app and click-and-collect services after a significant ransomware attack.
The disruption lasted multiple weeks—some online services were restored in June, but click-and-collect only returned in mid-August.
M&S warned that the attack could reduce its operating profit by about £300 million for the year. It acknowledged that user data (names, addresses, emails) had been accessed, but said payment details were not compromised.
UK police arrested four individuals (teens and early-twenties) in connection with the attacks on M&S, Co-op and Harrods. They are suspected under laws covering computer misuse, blackmail and money laundering.
- Jaguar Land Rover (late August / September 2025)
JLR announced that a cyber incident had disrupted its global operations, swiftly shutting down production at its UK factories and disabling systems for parts management, vehicle registration, sales and logistics.
The production halt is expected to last at least until 1 October, and JLR is reported to be losing £50 million per week in suspended revenue.
Because many suppliers depend on just-in-time deliveries, dozens of supplier firms are coping with cancelled orders, paused work, layoffs and cash flow stress. Some estimates suggest thousands of jobs in the automotive supply chain may be at risk.
Causes: tactics, groups and system weaknesses
Investigations and industry analysis suggest a shared modus operandi behind these attacks. A hacking collective, often referred to as Scattered Spider, is implicated in the Co-op and M&S breaches.
The group is known to specialize in social engineering, often impersonating IT staff or using helpdesk exploits to gain internal access.
In the M&S case, the attackers reportedly used SIM swapping and helpdesk impersonation, targeting third-party service providers to breach critical systems.
Following the JLR attack, a Telegram channel calling itself Scattered Lapsus$ Hunters claimed responsibility.
The name suggests a collaboration or overlap between Scattered Spider, Lapsus$ and ShinyHunters groups. Screenshots posted on that channel purported to show internal JLR systems.
One analyst told Computing that outsourcing cybersecurity to services like Tata Consultancy Services (TCS)—which was contracted by Co-op, M&S and JLR—might have created an aggregation point of risk. The article argued,
When private cybersecurity outsourcing costs us all, the cyberattack on JLR shows how single decisions can end up with much bigger public consequences.
How the companies responded
Co-op reacted rapidly by shutting down segments of its IT network, restoring systems gradually and working with suppliers to restart deliveries. Its CEO publicly apologised, saying she was “incredibly sorry” for the incident and its impact on members.
Co-op said it lacks full coverage from cyber insurance for backend losses, meaning it will absorb much of the cost itself.
M&S took its systems offline early to contain damage and then reintroduced services in stages—first home delivery, later click-and-collect. It engaged law enforcement, cooperated with regulators, and invoked its cyber insurance policy to recover parts of the loss.
JLR shut down factories and IT systems immediately, brought in cybersecurity experts, and worked with the UK government and the National Cyber Security Centre (NCSC) to enable a “controlled, phased restart.”
JLR also began restoring supplier payments, parts logistics systems, and capacity for registering cars to preserve cash flow.
Ministers are in talks on support schemes to help impacted suppliers, including deferred taxes or loans—though they emphasise JLR itself must absorb primary losses.
Expert views and systemic significance
Cybersecurity experts warn that the recent attacks are not isolated but symptomatic of a shift in attacker ambition. Rafe Pilling, Director of Threat Intelligence at Sophos, said:
Cybercriminals are taking greater risks by hitting high-profile targets to get bigger payoffs and boost their online reputational clout.
Martyn Thomas, Emeritus Professor of IT, offered a sobering caution:
If they were to decide to cause serious injury or many deaths, the same attack strategies could be used on critical systems in healthcare or major infrastructure.
In the JLR context, Guardian analysts concluded that the hack revealed how “everything is connected” in modern smart factories—and that complexity itself can become a vulnerability.
The fact that JLR outsourced critical IT systems, and that TCS services were integrated into multiple companies now under attack, raises questions about whether central points of dependency are being overlooked.
The broader significance of these events is clear: cyberattacks are no longer confined to stealing data or disrupting digital services—they can stall physical production, threaten employment, strain supply chains, and ripple across regional economies.
In a time of global uncertainty—with inflation, supply chain pressure, and geopolitical tensions—such breaches amplify the fragility of interlinked systems.
For UK firms, these attacks underscore urgent lessons: invest in threat detection and response, reduce over-reliance on single service providers, build redundancy, and ensure that cyber insurance isn’t just window dressing.
As more sectors digitise and connect, the “attack surface” only grows. If high-profile firms are now at risk, smaller firms in supply chains may become even more vulnerable.
In short, the Co-op, M&S, and JLR incidents mark a turning point: cybercrime has matured beyond nuisance hacking into systemic disruption. The next big breach may not announce itself gently—but those who prepare may yet mitigate its worst consequences.
The post UK giants hit by cyberattacks: how Co-op, M&S, JLR disruption expose vulnerabilities appeared first on Invezz
