What the M&S IT issue teaches us about cybersecurity and disaster recovery
The recent cyberattack on Marks & Spencer is a sobering reminder of the cybersecurity threats that face businesses of any size.
For several months now, the retailer has been dealing with the fallout from a cyber incident that has wiped hundreds of millions from the company’s value. Although in-store shopping has resumed, online sales are only just recovering. M&S believes issues will continue until July and that it will lose approximately £300 million as a result of the attack.
However, the event, as devastating as it was for M&S, serves as a valuable example for other businesses on how to respond to a cybersecurity incident and a poignant reminder of the importance of having a robust incident response plan in place.
In this article, we’ll examine M&S’s challenges and response strategies to uncover actionable insights for strengthening our own defences against evolving digital threats. We are all at risk of a similar cyber attack, but that doesn’t mean we can’t be prepared.
The crisis began during the 2025 Easter weekend when M&S detected unauthorised access to its cloud identity platforms. Attackers employed social engineering tactics to impersonate employees, bypass multi-factor authentication (MFA) protocols and infiltrate critical systems.
Security analysts identified hallmarks of Scattered Spider — a group notorious for targeting enterprises through MFA fatigue attacks and SIM-swapping techniques. Once inside, the attackers deployed DragonForce ransomware, encrypting systems responsible for online orders, inventory management and payment processing.
M&S saw an immediate loss of between £8 million and £10 million in daily online sales. Customers couldn’t redeem gift cards, collect online orders or make payments in-store and online. Disruption to restocking algorithms saw shelves empty and shares plummet 10% within days, erasing £700 million in market value.
We should point out that M&S aren’t alone suffering at the hands of cyber criminals. In the following weeks, Harrods and the Co-op were also hit by attacks.
M&S’s response was swift and decisive. It took the decisive step to shut down its online ordering systems and suspend contactless payment services to prevent further damage and data loss. Stores reverted to manual processes, which caused checkout delays but prevented the company from accruing more customer data.
At the same time, M&S communicated regularly and transparently with customers, employees and investors — using owned channels and media to provide updates and reassurance. When it realised attackers had stolen consumer data, the brand immediately informed customers via email and social media. The constant communication has maintained a degree of customer and stakeholder trust despite the ongoing disruption.
The company was quick to seek expert help, too. M&S engaged external cybersecurity experts and worked closely with the UK’s National Cyber Security Centre (NCSC) to investigate and contain the breach.
A global retailer like M&S may be able to respond adequately without a business continuity plan, but there’s no guarantee small and medium-sized businesses will be able to do the same.
We urge every company to draw up a business continuity plan that outlines how they will respond to and contain an attack. Here are the key reasons why business continuity planning is indispensable:
Business continuity planning transforms a potential crisis into a manageable event — one that you have planned for in advance. It gives leaders the confidence to act quickly and decisively, taking steps to contain and minimise the disruption.
Ultimately, you just have to ask yourself the question: would you want to face a cyberattack with or without a plan?
There’s no shortage of strategies you can adopt to improve your cyber-readiness. Speak to your IT security provider for an in-depth assessment and comprehensive plan that’s tailored to your needs.
Here are five strategies we might recommend:
Understanding your unique vulnerabilities is essential. A risk assessment helps you map out your critical assets, such as customer databases, payment gateways and supply chain systems, and identify where you are most exposed.
Achieving Cyber Essentials certification is a practical step toward reducing your exposure to the most common cyberattacks. This UK government-backed scheme focuses on five technical controls that form a baseline of security hygiene and demonstrate your commitment to cybersecurity.
It’s important to see Cyber Essentials not as a one-off event but as a key part of your day-to-day operations. The controls it establishes are the best defence against attacks like the one M&S is still suffering from. As such, it’s vital to abide by them constantly.
Technology alone can’t stop cyber threats. Your employees are often the first line of defence and the weakest link in your cybersecurity efforts, so building a culture of cybersecurity awareness is both critical and non-negotiable.
Constant end-user training is one of the most effective strategies for educating your employees and helping them identify potential attacks. It will ensure everyone knows and can spot the latest attack methods, whether they are phishing emails, social engineering or MFA fatigue attacks.
When a cyber incident occurs, a rapid, coordinated response can mean the difference between containment and catastrophe. Create a response plan that clearly defines roles and responsibilities, outlines a communication strategy and walks through data recovery practices.
Cyber threats are multifaceted, so your defences must be equally comprehensive. A multi-layered approach includes Multi-Factor Authentication (MFA), zero trust architecture and regular patch management.
No cybersecurity system is impervious. If a leading British retailer like M&S can get hit, so can you. But that just makes the need for a suitable disaster recovery plan all the more vital.
By adopting proactive defence strategies, fostering cyber awareness amongst employees and investing in business continuity plans, you can prevent the majority of cyber threats and be ready should an attack slip through your defences.
Contact us today for a rigorous assessment of your cybersecurity readiness and a bespoke strategy to help you improve.