Crisis communications: Navigating cyber threats – lessons from M&S and Co-op’s comms responses

Written By Purplefish Agency

The crisis communication story:

In recent weeks, UK retailers Marks & Spencer (M&S) and Co-op have faced significant cyber-attacks, disrupting operations and exposing vulnerabilities in their digital infrastructure.

These incidents serve as a stark reminder that cybersecurity is no longer just an IT issue—it’s a fundamental business concern that requires crisis communication and strategic preparedness.

How M&S responded:

Both retailers took action to mitigate the damage, but the differences in their approaches provide lessons for businesses in the event of a cyber threat.

It was not the Easter weekend the retailer had planned when it revealed it has been the target of a cyber attack. While acknowledging early, informing customers that personal data had been compromised and reassuring them that payment details remained secure, it has struggled to overcome the attack and get back to business as usual. At the time of writing the much-loved 140-year-established brand is still not past the incident which it now predicts will impact them up to July.

Following a suspension of online orders for more than three weeks the retailer has suffered millions of pounds in lost sales and shoppers have faced empty shelves in many stores.

Its comms response has tried to be as transparent as possible in the face of the protracted delay in restoring services. Bank of America analysts have predicted financial losses could be in excess of £40 million per week.  Latest company results (21 April 2025) estimate they will take a £300 million hit. Of course as a publicly traded company impact has also been felt on the share price but its broadly acknowledged that investors have been reassured by the words and detail shared by the firm.

Long-term reputational damage remains to be seen but longstanding earned trust and goodwill in this brand as a UK institution should mean there is some credit in the minds of consumers, even if credit in the bank is diminished in the short term.

How Co-op responded:

The supermarket chain has also faced a breach of its systems, affecting back-office and call centre operations. Employees were instructed to keep cameras on during virtual meetings and avoid sharing sensitive information via internal communication platforms. Co-op’s response was swift and reactive.

Although initially downplaying the breach the supermarket-to-funerals mutual later admitted to the extent of the data compromise. Quick thinking by company bosses did however, according to wider media reporting, narrowly avoid a more serious ransomware breach than M&S. The retailer ‘yanked their own plug’ to prevent more extensive damage.

Co-op appears to have opted for more short-term disruption and decisive action than M&S in a bid to bounce back faster although the two attacks do differ and we have yet to hear the full details of each.

Key communications takeaways for businesses

For business bosses, these incidents underscore the importance of proactive cyber security measures and alongside a decisive and effective crisis communications response. This is something that can be planned for in advance given the nature of running business in a digital world.

In the event of a breach there are a set of clear measures that firms should follow to manage the message. While an IT team or consultant could contain and manage an attack, long-term damage could be a bigger threat if your communications reaction is deemed to be poor by stakeholders.

Here’s how to manage cyber threats with internal and external audiences to minimise reputational damage:

  1. Transparency: Customers and stakeholders appreciate honesty. Acknowledge a breach or incident promptly, outline the impact, and provide clear guidance on what affected individuals should do.

  2. Control the narrative: If you create a vacuum – someone else will fill it. If businesses fail to communicate effectively, external sources—such as media or hackers themselves—will shape the story. A well-crafted statement, backed by cybersecurity experts, helps maintain trust.

  3. Prioritise customer reassurance: M&S reassured customers that financial data was not compromised, which helped mitigate panic. Firms should proactively address concerns and offer support, such as password resets or fraud monitoring.

  4. Internal communication matters: Employees are often the first line of defence. Co-op’s directive to staff about virtual meeting protocols highlights the need for clear internal guidelines during a crisis.

  5. Invest in cyber resilience: Cyber security should be treated as a strategic priority, not just an IT function. Regular audits, employee training, and robust incident response plans can prevent breaches or reduce their impact.

Final thoughts

The cyber attacks on M&S and Co-op are a wake-up call for businesses across all sectors. Cyber threats are evolving, and companies must adapt by integrating security and crisis communication into their broader business strategy. By prioritising transparency, controlling the narrative, and reinforcing cyber resilience, businesses can protect their reputation and maintain customer trust in the face of digital threats.

Purplefish Agency
Previous

Purple POV Ep 2: how to maximise impact with influencer collaboration
Next

Is your company equipped to handle a reputation crisis?