Since Easter weekend, several major British retailers have grappled with cyber incidents that have caused sustained, significant disruption across their services and stores.

M&S was the first to take the hit, disclosing the breach on 22 April; the Co-op then confirmed its own incident on 30 April and Harrods acknowledged an attempted intrusion on 1 May. A cyber-crime gang calling itself “DragonForce” has claimed responsibility for this latest wave of incidents.

Each retailer has taken a different approach to communicating with its stakeholders, selecting different channels for announcing the incident and providing updates:

• M&S, a FTSE-100 company, had the challenge of addressing the market as well as its usual stakeholders. It lodged an RNS notice on 22 April, alongside informing customers and other stakeholders through very similar statements published on its website, social media channels and via email. Since then, it has published more updates to customers through these same channels and as of 13 May 2025, revealed that some personal customer data had been stolen in the attack
• The Co-op appears to have informed its employees first, through an internal email seen by ITV News, a short website statement (which has since been deleted) and media statements provided to news outlets. It has since published several updates, including website and social media posts and emails to its members, as well as a member-facing FAQ.
• Harrods opted for a webpage, a single holding statement to press outlets, confirming “attempts to gain unauthorised access” and promising updates “as necessary.” They also emailed customers this update.

The variety reflects each company’s stakeholder priorities: M&S must satisfy investors as a FTSE-100 constituent, Co-op answers to 4.5 million members and privately-owned Harrods faces mainly reputation risk, especially as it appears to have largely avoided any major service impact.

The Co-op and M&S haven’t quite been so lucky. Both retailers have experienced stock shortages, with news outlets reporting bare shelves everywhere from Islay to Hereford. As of 12 May, the Co-op is still reporting ‘significant disruption’ and M&S online orders remain paused for the foreseeable.

This breadth of disruption is unusual and for totemic brands, customers are getting increasingly frustrated at a continued lack of clarity around when the incident will be resolved. For M&S, this will only be made more difficult by the recent news that customer data has also been stolen. With all this in mind, it raises the question: how can organisations minimise reputational harm when cyber incidents continue to cause a severe impact?

Below are three core principles for doing exactly that:

1. Implement a routine communications schedule

M&S won early praise for quick, consistent updates tailored to each stakeholder group, but by week two, this cadence slowed and customers became frustrated (BBC).

While companies may be hesitant to remind stakeholders that a serious issue remains unresolved, fixing regular updates while disruptions are ongoing assures customers that a) the team is working flat out on a resolution and b) helps the company to maintain control over its narrative. Radio silence will always be filled with unhelpful speculation and rumour.

2. Communicate facts carefully

While speed matters, precision matters more – in the early stages of an incident, organisations should only publish verified facts and clearly label anything as tentative, where necessary. Ultimately it is better to say less initially and be seen as accurate than try to assuage calm only later to row back and cause confusion.

Both M&S and the Co-op had to walk back earlier statements or announcements as the technical picture evolved, likely causing frustration and harm with stakeholders. This is a bad look and whether avoidable or not, suggests a lack of control over the situation. Teams managing the situation need to balance the desire to reassure stakeholders with only communicating watertight facts, or including caveats such as “based on what we know today”.

Many noted how the Co-op’s language shifted from describing a “small impact” on 25 April to “significant disruption” on 30 April, following ransomware gang DragonForce contacting the BBC. Such an escalation harms credibility and can create mistrust in the organisations’ response procedures and diagnostic ability.

3. Keep employees onside

During times of crisis, staff are some of the most important communicators. Last weekend, an anonymous M&S “insider” told Sky News it could be months before the retailer was operating as normal, describing tough working conditions and claiming the retailer “had no plan” for cyber attacks which is a very serious allegation for a company of M&S’s size and stature.

The comment quickly became a headline and, aside from highlighting the importance of organisations having sufficient business continuity and cyber plans in place, reinforces the importance of internal stakeholder management in the aftermath of an incident. Clear and consistent communications paired with internal support, can help ensure employees become advocates rather than inadvertent whistleblowers.

While these principles do not erase the complexities M&S and the Co-op are currently facing, they do underscore that in the current climate, organisations are judged more on how they handle crises than on the crises themselves. It will be interesting to see how each company reacts when the crisis is over – customers who have faced disruption will remember the hassle but also any compensation, offers or perks offered to buy back goodwill.

For strategic advice around cyber risk planning, management and live incident handling, contact: cyber@drdpartnership.com