The outcomes could not have been more different.

M&S had its online operations crippled for over six weeks. Click-and-collect halted. Online clothing orders suspended. Fresh food tracking reverted to pen-and-paper. The financial damage as currently reported: roughly £300 million off operating profits, around £40 million in lost revenue per week during the outage, and approximately £750 million wiped off market capitalisation in the days following disclosure. While M&S was paralysed, rival Next quietly absorbed displaced shoppers and upgraded its profit forecast — for the fourth time that year — citing “competitor disruption”.

The Co-op, hit by the same adversary, contained the breach within minutes. Their security operations centre flagged unusual activity almost immediately. Their network architecture was segmented — critical services like online retail and payments lived on separate infrastructure. Their culture treated breach scenarios as inevitable rather than unthinkable. Customer-facing operations barely flinched.

Testing strategy is one part of that: the part that asks “what could go wrong, and have we verified our response?” before the answer becomes a press release.

Trust doesn’t distinguish between bugs and breaches

Customers don’t keep one mental column labelled “security incident” and another labelled “quality incident”. They keep one column: did this company let me down?

Consider CrowdStrike, July 2024. A faulty software update — not a cyberattack, not a hack, just a defective release — crashed 8.5 million Windows systems globally. Airlines grounded. Hospitals reverted to paper. Banks froze. The estimated financial damage exceeded $10 billion. Delta Air Lines alone sued for $500 million after 7,000 cancelled flights stranded 1.3 million passengers over five days.

CrowdStrike’s own preliminary post-incident review told the story. A bug in their content validation software — the very thing meant to verify updates before release — let a malformed file slip through. According to their analysis, the validator had appeared to function normally for prior releases. It hadn’t been adequately tested against the conditions that mattered.

Read that sentence again. The tool designed to catch bad releases was itself a bad release.

No attacker. No malice. Just a quality failure at the worst possible moment, cascading across a global economy that had assumed someone, somewhere, was testing this stuff. And customer trust evaporated just as quickly as if it had been a breach.

The forensic cost of a bad weekend

Trust feels abstract until you put a price on it. So let’s be specific.

Take a hypothetical £500 million UK retailer. Apply the M&S template publicly reported across 2025:

• Immediate revenue loss during outage: six weeks of disrupted online operations at a conservative 30% revenue impact — approximately £17 million.
• Permanent customer migration: 5% of active customers shift to competitors during the outage. At a customer lifetime value of £400, on a base of two million customers, that’s £40 million in lost lifetime revenue.
• Market valuation impact: based on the M&S pattern, a credible mid-cap UK retailer could expect between £80 and £150 million in market value to evaporate in the days after disclosure.
• Regulatory and legal exposure: between ICO notification, regulatory scrutiny and class-action risk, factor £5 to £15 million in direct costs and reserves.
• Internal recovery cost: twelve to eighteen months of leadership focus, engineering capacity, and customer remediation programmes. Realistic estimate: £8 to £12 million.

Conservative total: £150 to £230 million. For a single incident.

The asymmetric maths

Those numbers are the visible damage. The invisible damage is considerably more troubling.

Consider what your organisation has actually invested in customer trust. Years — sometimes decades — of brand work. Marketing campaigns that built reputation patiently. Customer service teams earning loyalty one interaction at a time. Product iterations that made experiences just a little better each cycle. Reviews accumulated. Recommendations earned. Customers became advocates. Advocates became defenders.

That asset is enormous. It doesn’t sit on the balance sheet, but it determines whether the market cares about your next product launch.

A single incident compresses all of it. The £300 million in lost M&S operating profit is the cost you can measure. The decades of accumulated brand position — compressed into a six-week news cycle about empty shelves and frustrated customers — is the cost you can’t.

Now the maths gets uncomfortable. A properly funded software testing and quality engineering capability across that same retailer typically costs 2 to 4% of the technology budget annually. Even at the top of that range, you could fund the entire function for over a decade before approaching the cost of one bad weekend.

One incident can spend your marketing budget, your customer experience budget, your PR budget, and your testing budget — for a decade. All at once. In a weekend.

Trust is a slow accumulation and a fast collapse.

THE LEADERSHIP QUESTION Your marketing team has spent years building customer trust. Has your testing strategy been funded as if it were responsible for protecting that asset?

The bottom line

Cyber security and quality engineering aren’t competing line items. They’re complementary disciplines protecting the same asset. Cyber teams detect, contain, and respond. Quality engineering determines whether your systems behave well under the conditions cyber events — and quality failures — create: whether they degrade gracefully or catastrophically, recover in minutes or weeks, contain damage or compound it. The organisations that emerged from the 2025 retail attacks with reputations broadly intact had invested in both, not because they predicted the specific attack, but because they had treated resilience as something to verify, not something to assume.

Your customers won’t care why your platform broke. They will only remember that it did. Remember trust is built in all the releases that didn’t fail. It’s then gone in news cycles that didn’t have to happen. And the brand work your colleagues spent years building will not magically reappear because the post-incident review concluded the cause was technically a security event rather than a quality one.

Trust accumulates slowly and collapses rapidly. Treat your testing strategy as one of the things standing between those two states. It costs less than you think — and it protects more than you’ve realised.

Sources

• IBM. (2025). Cost of a Data Breach Report 2025. Global average breach cost USD 4.44 million; US average at all-time high of USD 10.22 million. https://www.ibm.com/reports/data-breach
• Marks & Spencer cyber attack coverage (April–July 2025). Reported operational disruption, ~£300m operating profit impact, ~£750m market value loss, ~£40m/week revenue loss during outage. Reuters, Financial Times, BBC, Cybersecurity Dive.
• MTI Network. (2025). M&S vs Co-op: How Two 2025 Cyber-Attacks Ended So Differently. Analysis drawn from UK Parliament Business and Trade Sub-Committee oral evidence, 8 July 2025.
• Parametrix; Fitch Ratings. (2024). Analysis of CrowdStrike outage financial impact. Estimated ~£4.1bn in direct losses to top 500 US companies; broader economic damage estimated at $10bn+.
• CrowdStrike. (2024). Preliminary Post Incident Review on Channel File 291. Bug in content validation software allowed defective release to bypass quality controls.
• Supply Chain Digital / Cyber Magazine. (2025). Analysis of competitive transfer of customers from M&S to Next during recovery period; Next upgraded profit forecast citing “competitor disruption”.
• Edelman. (2025). Edelman Trust Barometer 2025: Trust and the Crisis of Grievance. https://www.edelman.com/trust/2025/trust-barometer
• Bach, J. & Bolton, M. Rapid Software Testing methodology. https://www.satisfice.com/ and https://developsense.com/