UK Retail Cyberattacks Cost Up to £440M: Cyber Monitoring Centre Unveils First Damage Assessment

The British Cyber Monitoring Centre (CMC) has released its first official assessment of the damage caused by recent cyberattacks that disrupted major retail chains across the country. According to estimates, total financial losses range between £270 million and £440 million—approximately $362–591 million.

Prominent retailers such as Marks & Spencer, Co-op, and Harrods were among those targeted. Harrods, however, experienced minimal impact: its flagship store remained operational, and online sales continued uninterrupted. Due to limited information on the incident, Harrods’ data was excluded from CMC’s final analysis.

Marks & Spencer suffered the most severe losses, primarily due to the shutdown of its online store and complications with contactless payments. Fable Data reported a 22% drop in company revenue during the outage. Offline sales also declined by about 15%, but the most significant blow came from the halt in e-commerce operations. Access to the online platform was only restored in July, partially mitigating daily losses estimated at £1.3 million (roughly $1.74 million).

The situation at Co-op unfolded differently. Customer spending at the chain fell by 11% in the first month following the attack. However, the repercussions extended beyond economic figures: for residents of remote areas such as the Scottish Isles and Highlands, Co-op often serves as the sole provider of essential goods.

In response to these incidents, the CMC employed for the first time its proprietary classification system for cyberattacks. Established earlier this year, the centre developed the Cyber Monitoring Matrix—an evaluative scale designed to objectively measure the scope and impact of digital incidents.

According to this scale, the recent attacks on the UK retail sector were classified as Level Two out of five. This designation indicates that the events were serious, yet their consequences remained contained and affected a relatively narrow group of companies.

CMC analysts described the situation as a “narrow but deep” incident—significantly damaging to specific organizations and their partners, but without widespread repercussions across the industry. By comparison, last year’s outage at CrowdStrike affected a larger number of companies but inflicted less pronounced harm on each individual firm.

Experts clarified that the UK has not yet experienced a Level Four or Five cyberattack, which would imply catastrophic consequences. Had the retail sector sustained broader damage, these events might have been categorized under a higher risk level.

For context, the CMC cited the collapse of CrowdStrike’s IT systems. If the Centre had been operational at the time, the failure would have been classified as Level Three. That incident, caused by a software update error, led to the largest IT infrastructure outage on record. If it had been the result of a deliberate attack, it would have qualified as a Level Four incident. Level Five—the most severe—is reserved for assaults akin to NotPetya, launched by Russian cybercriminals in 2017.

These recent events marked CMC’s first real-world test. Until now, the Centre had only produced theoretical models; this was its inaugural practical deployment of the methodology.

Founded as the world’s first independent body for evaluating large-scale cyberattacks, the CMC is led by Ciaran Martin, the former head of the UK’s National Cyber Security Centre (NCSC). Its team includes top experts in cybersecurity and finance.

The idea for the Centre arose from ongoing debates over what constitutes a systemic cyber threat—a vagueness that has proven especially problematic in the insurance sector, where ambiguous policy language frequently leads to disputes over claims.

The CMC’s scale and methodology aim to eliminate such ambiguities. Clear criteria enable insurers and their partners to determine in advance the conditions under which they are eligible for reinsurance payouts.

Importantly, the Centre’s mission extends beyond the insurance industry. The CMC plans to produce detailed reports on any cyberattack causing damage exceeding £100 million (approximately $133 million). These findings will inform national cybersecurity policy and efforts to bolster the country’s digital resilience.

Looking ahead, the CMC’s mandate may broaden. According to CEO Will Mayes, should the government introduce a public support mechanism for catastrophic cyberattacks, the Centre would likely be tasked with assessing the necessity and scale of such aid.

Experts interviewed by The Register generally welcomed the Centre’s launch, though many noted that its true effectiveness will only become clear over time and through real-world application.