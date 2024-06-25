Britain's Cyber Monitoring Centre (CMC) estimates the total cost of the cyberattacks that crippled major UK retail organizations recently could be in the region of £270-440 million ($362-591 million).

The organization – which launched earlier this year and introduced standardized grading of cyberattacks – gave the criminals' digital intrusions of retail outlets across the country high marks, characterizing them as a category 2 systemic event.

The CMC's Cyber Monitoring Matrix grades systemic cyber events between category 0 for the lowest impact and category 5 for the highest. Overall impact is determined by how many people are affected by any given attack, and by the financial impact.

In its public assessment statement, the CMC said: "The impact from this event is 'narrow and deep,' having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers. This contrasts with a 'shallow and broad' event like last year's CrowdStrike event, where a large number of businesses across the economy were affected, but the impact to any one company was far smaller.

"We are yet to see a deep and broad category 4 or category 5 event impact the UK. Had there been further widespread disruption in the sector, the categorization could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC's scale."

It previously said that CrowdStrike's outage last year would have been designated a category 3 systemic event, had the CMC been launched at the time, due to the scale of its impact across the UK.

CrowdStrike's faulty file update – which inadvertently led to what has been described as the largest IT outage in history – may have earned category 4 status if it was a malicious cyberattack, instead of a faulty sensor update. This is because of the increased costs involved in cleaning up attacks, said the org. Hypothetically, an example of a cat-5 attack would be Russia's NotPetya campaign.

[...] The assessment of the recent UK retail attacks is the first contemporary incident categorization to come from the world-first CMC.