Table of Contents
Do not index
Do not index
In April 2025, Marks and Spencer (M&S), a prominent British retailer, experienced a significant cyber attack that disrupted operations, and highlighted the vulnerabilities that even large, established organisations face in today’s volatile digital landscape. The attack joins a growing list of UK organisations that have been impacted by cyberattacks since the start of the year, such as Barclays, Lloyds bank, British Airways, and Transport for London.
The incident forced M&S to suspend and refund online orders, disable contactless payments on tills, and ask around 200 warehouse employees to stay home while they dealt with the incident. The attack appears to have begun as early as February 2025, when attackers reportedly gained access to M&S systems and deployed ransomware that encrypted critical operational systems.
While the full extent of the damage is still being investigated, M&S has yet to release specific deals of the attack, but several news outlets have linked the incident to a cybercrime group called ‘Scattered Spider.’
This event is a stark reminder that even household names with access to numerous resources can be brought to a standstill by cyber threats. In today’s digital landscape, size no longer guarantees safely, and can even make organisations more vulnerable.
Bigger Business, Bigger Target
Large organisations like M&S are incredibly attractive targets for cybercriminals, not just because of their name recognition, but because of the complexity of their environments.
The bigger the business, the larger the attack surface. M&S doesn’t just operate physical stores, it manages e-commerce systems, customer databases, internal HR platforms, supply chains, third-party vendors, and cloud services. Every point of connection is a potential weakness. Every employee, device, and external partner becomes part of the security surface and needs to be carefully managed.
The more systems and suppliers involved, the harder it becomes to maintain visibility and control over risks. Cybercriminals understand this and seek to exploit these vulnerabilities. That’s why many of today’s most successful attacks focus not on a company's direct defences, but on indirect ones, targeting suppliers, service providers, and partners.
This is what’s known as a supply chain attack, and it’s one of the fastest-growing methods of attack in the world.
Vendor Risk and Supply Chain Attacks
While M&S has not disclosed any specifics related to the attack at the time of writing, it is likely that the attack began by exploiting the compromised credentials of a third-party vendor, or otherwise gain access through social engineering tactics.
Supply chain attacks are successful because businesses will naturally trust their vendors, especially if they have a longstanding relationship with them. However, if a vendor doesn’t meet your security standards, or has a vulnerability that can be exploited, attacks will usually take the easier route.
Proper vendor risk management, including due diligence, ongoing monitoring, and requiring compliance with recognised frameworks, is now essential. Standards like ISO 27001, SOC 2, and GDPR all increasingly emphasise the responsibility organisations have for the security of their third parties.
It’s no longer enough to protect your own perimeter. You must also understand and manage the risks introduced by every business you work with, especially if those third-parties could lead attackers to your sensitive information if they are compromised.
Disaster Recovery: A Test of Readiness
Following the ransomware deployment, M&S was forced to implement emergency containment measures, such as disabling online order systems and restricting employee access to core systems. These reactive steps were likely part of a disaster recovery plan.
Disaster recovery planning focuses on restoring operations after a major incident. In practice, this could mean switching to backup servers, isolating infected systems, switching to manual processes where necessary, and restoring critical business functions.
If M&S had not invested in resilience measures before the attack, such as offsite backups, incident response rehearsals, and well-documented recovery playbooks, the disruption likely would have been much more severe. Even so, the delays in resuming services show how challenging recovery can be when ransomware impacts core infrastructure.
However, a disaster recovery plan is only as good as the last time it was properly tested, and for large businesses with complex networks of stores, suppliers, and infrastructure, this testing must be continuous, thorough, and encompass hundreds of different scenarios.
The Financial and Reputational Fallout
Unfortunately, the consequences of a cyberattack are rarely confined to mere technical disruption.
In M&S’s case, the immediate impact included a staggering drop in value of £650 million. Customers also reported frustration with failed orders and unavailable services, threatening long-term trust in the brand.
For public companies, a cyber incident can erode client and investor confidence overnight.
For retailers, customer loyalty, painstakingly built over the course of years, can evaporate without effective communication.
For businesses handling personal data, breaches can trigger regulatory investigations and heavy fines.
When organisations fail to manage cybersecurity risks properly, the damage extends far beyond IT. It touches every part of the business, from the balance sheet to the brand itself.
Prevention, Compliance, and Continuous Vigilance
While it’s impossible to eliminate all risk, the M&S breach reinforces the importance of layered, continuous defence for any organisation regardless of size or prestige.
This is where compliance frameworks, like ISO 27001, Cyber Essentials, and SOC 2, come into the picture. They are designed to help businesses build structured, risk-based security programmes. But compliance must be approached seriously, not just as a paperwork exercise. True security means:
- Proactively identifying weaknesses, including in your vendor ecosystem.
- Monitoring systems continuously for suspicious activity.
- Training employees regularly on phishing and social engineering risks.
- Having a tested, rehearsed incident response and disaster recovery plan.
It also requires senior leadership to treat cybersecurity as a board-level issue, not just an IT function that needs to be ticked off.
Final Thoughts
Marks & Spencer’s cyberattack shows that size does not guarantee security.
If anything, large organisations carry greater risk, with more systems to defend, more vendors to trust, and more opportunities for attackers to exploit.
Cyber resilience and security is not a matter of how big or well-known your business is. It’s a matter of preparation, careful monitoring, and the willingness to invest in securing not just your technology, but your entire business ecosystem.
