Inside the M&S Cyberattack: Anatomy, Impact, and Lessons for Every Organisation

In April 2025, British retail giant Marks & Spencer (M&S) became the latest high-profile victim of a sophisticated cyberattack. The breach had devastating consequences: personal data from nearly 10 million customers was stolen, core operations were disrupted, and hundreds of millions in value were wiped off the business. While cyberattacks are no longer a rare event, the M&S incident is notable for its scale, its execution, and the warning it sends to businesses of all sizes.

Anatomy of the M&S Cyberattack

Entry Point: Third-Party Access Exploited

The attackers, identified as the advanced persistent threat (APT) group Scattered Spider, gained access to M&S systems via a third-party contractor with privileged system access. This supply chain vulnerability allowed them to bypass M&S’s direct defenses.

This is a classic example of a supply chain compromise: where trusted external partners become the weakest link. The attackers reportedly used social engineering tactics and credential stuffing to escalate access once inside, enabling lateral movement across M&S systems over a 52-hour period—a window long enough to exfiltrate large volumes of customer data before detection.

Tactics and Tools Used

According to reports, the attackers deployed custom malware and used living-off-the-land techniques—leveraging legitimate system tools to avoid detection. Log files and system telemetry indicate that the group had detailed knowledge of M&S’s infrastructure, likely gained through weeks of reconnaissance.

Their goals were twofold:

1. Data theft (PII from customers)
2. Operational sabotage—crippling logistics and internal IT systems

Delayed Detection

One of the most alarming elements of the attack was the detection delay. M&S’s systems reportedly took over two days to identify suspicious activity, during which significant damage occurred. Once detected, M&S had to rapidly shut down several systems to prevent further data loss, leading to immediate operational disruption.

Impact on the Business

Operational Disruption

• E-commerce and delivery systems were frozen, with online orders halted temporarily.
• M&S’s integration with Ocado—a key grocery delivery partner—was disrupted, creating knock-on effects on fulfilment and logistics.
• Stores were forced to revert to manual operations, which significantly reduced efficiency and led to increased product waste and loss of perishable stock.

Financial Fallout

• M&S estimates a £300 million hit to operating profit in FY 2025, a combination of revenue loss, remediation costs, and customer compensation.
• Additional costs included:
  • Crisis response and forensic IT investigations
  • Cybersecurity consultancy fees
  • Temporary staff to support disrupted operations
  • Investments in new digital infrastructure and upgrades

Reputational Damage

• Customer trust took a major hit, with over 9.4 million customers affected.
• While payment card data and passwords were reportedly not compromised, the stolen data included:
  • Full names
  • Addresses
  • Dates of birth
  • Order history
• The breach prompted a social media backlash, and M&S’s customer service channels were inundated with complaints and queries.

Legal and Regulatory Risks

• M&S is now facing a class-action lawsuit in the UK over failure to adequately protect customer data.
• The Information Commissioner’s Office (ICO) has launched an investigation, and potential GDPR fines could be significant depending on the findings.

Market Reaction

• On the day of the announcement, M&S shares fell by over 10%, wiping more than £1 billion off the company’s market value.
• Analysts have revised earnings expectations downward and flagged operational risk in future outlooks.

Lessons for Other Organisations

1. Third-Party Risk Must Be a Board-Level Priority

Third-party vendors with system access need to be treated as critical parts of your infrastructure. Continuous monitoring, stringent access controls, and rigorous vetting are essential. Zero-trust architecture and least-privilege policies can help reduce risk exposure.

2. Invest in Proactive Threat Detection

Long dwell times—like the 52 hours in the M&S attack—are often the result of outdated or under-resourced monitoring. Continuous threat hunting, real-time detection systems, and AI-based anomaly detection tools should be considered essentials, not luxuries.

3. Cyber Insurance Is Not a Catch-All

While M&S reportedly had cyber insurance, the coverage limit was quickly exceeded. Organisations need to understand policy exclusions, caps, and coverage details thoroughly. Insurance should complement—not replace—robust internal preparedness.

4. Communication and Crisis Management Are Crucial

M&S was praised for transparent customer communication, but delays in the initial notification created uncertainty. A pre-planned cyber crisis communications strategy, aligned across PR, legal, IT, and executive teams, can protect trust in the heat of an incident.

5. Prioritise Data Minimisation and Encryption

If you don’t need it, don’t store it. Where storage is necessary, encryption and tokenisation should be enforced as standard. GDPR encourages this, but compliance should be seen as the floor, not the ceiling.

6. Simulate, Train, Repeat

Cyberattack simulations (tabletop exercises) ensure that leadership teams and key departments are not improvising during a real crisis. Regular training helps refine your response and reduce human error—the most common breach factor.

Final Thoughts

The M&S cyberattack is more than a cautionary tale—it’s a live case study in how even well-established, digitally mature businesses can be brought to a standstill by a well-orchestrated cyber incident. It reinforces the reality that cybersecurity is no longer just an IT issue—it’s a business continuity issue.

Every organisation, from SMEs to multinational corporations, should take note: cyber resilience is now a critical part of strategic risk management. Those who invest in it will be better positioned to survive and recover. Those who don’t may not get the chance.