M&S Cyberattack 2025: What UK Companies Can Learn About Incident Communication

What M&S, Co-op and JLR Have in Common With Your Next Incident

In April 2025, Marks & Spencer suffered a ransomware attack over the Easter weekend. Online orders were suspended for months. Contactless payments went down across stores. The company lost £300 million in market value in the days that followed. It was described as the most financially damaging cyber attack ever suffered by a UK retailer.

Within weeks, the Co-operative Group reported a cyberattack that disrupted IT systems across more than 2,000 supermarkets. Shelves went empty. Member data was compromised. The IT team took the significant step of proactively shutting down systems to prevent further damage.

A few months later, Jaguar Land Rover experienced a major cyber incident that disrupted production at two of its main UK factories. The estimated impact: £120 million profit hit and £1.7 billion in lost revenue.

Three major UK organisations. Three very different industries. All within a few months of each other. All with significant, well-resourced IT teams. All have substantial investments in security infrastructure.

I'm not raising these cases to be alarmist. I'm raising them because of what they reveal about the nature of incident communication failure - and because the lessons apply directly to companies a fraction of their size.

What the 2025 UK Cyber Incidents Had in Common

The technical failures in each case were serious. Ransomware attacks are sophisticated, damaging, and increasingly well-resourced on the attacker's side. I'm not suggesting that any of these organisations should have prevented the attacks entirely through better internal processes.

What I am pointing at is something different: the communication dimension of each incident, and what it reveals about how difficult it is to manage the human side of a major event - even for large, well-funded organisations with dedicated communications teams.

M&S were criticised for the pace and clarity of their public communications in the early stages of the incident. Customers found out about problems through their own experience - orders not processing, payments failing - before they received formal communication from the company. The silence in those early hours, even if operationally understandable, shaped the public narrative in ways that were very difficult to recover from.

Co-op initially publicly denied the extent of the breach, then had to revise that position as reality became clearer. Whatever the internal reasoning behind those early communications, the gap between what was said and what was true damaged trust independently of the technical incident itself.

In each case, the reputational damage was compounded by the handling of communications, not just by the technical failure. And in each case, the organisation's size and resources did not protect them from the specific challenge of communicating clearly, honestly, and in a structured way under extreme pressure.

Why Scale Doesn't Protect You

There is a tempting assumption that communication failures during incidents are a small company problem. Large organisations have PR teams, communications directors, crisis management consultants on retainer. They have the resources to handle these situations professionally.

The 2025 UK incidents suggest that resources alone are not sufficient. Because the fundamental challenge of incident communication is not a resource problem. It is a structural and human problem.

The challenge is making good decisions about what to say, to whom, and when - under conditions of incomplete information, high pressure, and competing demands - before the narrative forms itself without you. That challenge does not get easier with more people in the room. In some ways, it gets harder because more people mean more decision layers, more sign-off requirements, and more opportunities for the communication to be delayed while it works its way through the organisational structure.

A 50-person company can, in theory, communicate faster and more authentically during an incident than a 50,000-person company. The CEO is accessible. The decision chain is short. The relationship with the client is direct. Those are structural advantages that large organisations cannot replicate.

The question is whether the 50-person company has built the process to use those advantages - or whether the absence of a dedicated communications function means that nobody is managing the communication at all while everyone is focused on the technical fix.

The Lesson That Transfers Directly

What the 2025 UK incidents taught anyone paying attention - at any company size - is this.

The technical incident and the communication incident are two separate events that happen simultaneously. They have different timelines, different audiences, and different success criteria. Managing one does not manage the other. And failing at the communication incident can cause damage that outlasts and outweighs the technical incident by a significant margin.

M&S resolved the technical problem. The reputational and financial consequences continued for months.

For a 50-person company, the equivalent scenario is a two-hour outage that is technically resolved competently - and a client relationship that quietly deteriorates over the following weeks because of how the communication was handled during those two hours. The technical team did their job. The communication vacuum did its own damage independently.

What This Means in Practice for Your Next Incident

I'm not asking you to build an enterprise crisis communications function. I'm asking you to answer a simpler set of questions before your next incident happens.

Who sends the first client communication, and what does it say? Not after the incident is resolved - within fifteen minutes of it being declared. Who briefs the CEO, and how often? Who is monitoring the volume of inbound customer service calls and feeding that information back into the incident response? Who makes the call about what goes public and when?

Those questions don't require a PR team. They require a process, decided in advance, by people who understand both the technical reality and the communication requirement.

The organisations that handled their 2025 incidents best - and there were some, even if they didn't make the headlines - were the ones that had that process. Not because they were larger or better resourced. Because they had decided, before the pressure arrived, how the communication side of a major incident would be managed.

That decision is available to any company, at any size. The only requirement is making it before you need it.

Frequently Asked Questions

What happened in the M&S cyberattack 2025?

Marks & Spencer suffered a ransomware attack over the Easter weekend in April 2025. Online ordering was suspended for months, contactless payments failed across stores, and the company's market value fell by approximately £300 million in the days following the incident. It was widely reported as the most financially damaging cyber attack ever suffered by a UK retailer.

What did the Co-op cyberattack involve?

The Co-operative Group reported a cyberattack in spring 2025 that affected IT systems across more than 2,000 supermarkets. Member data was compromised, shelves went empty in some locations, and the organisation proactively shut down systems to limit the spread of the attack.

What can small UK companies learn from the 2025 cyberattacks?

The primary lesson is that technical resilience and communication readiness are distinct. All three organisations had significant IT resources, but each faced criticism for its handling of communications during and immediately after the incident. For smaller companies, the lesson is to build a communication process before an incident - not to improvise one during it.

How should a company communicate during a cyberattack or IT outage?

The most effective approach uses a structured timeline: an acknowledgement within 15 minutes of incident declaration, a brief update at 30 minutes, and a full resolution message when the issue is resolved. None of these communications require a technical resolution — they require honesty, brevity, and a designated person with authority to send them without waiting for sign-off from the technical team.