Table of Contents
Do not index
Do not index
It seems like everyone’s talking about the recent cyber attack on M&S, and for good reason. In April 2025 one of the UK’s most established retailers was hit by a ransomware attack that devastated the organisation, bringing large parts of its digital operations to a standstill. While everyone expected the attack to make headlines, what has been more revealing is what’s happened, or hasn’t happened, in the weeks since the breach.
M&S is still struggling to return to 100% operation, with their website frequently being taken down, services being limited, and the financial impact continuing to grow. So why is recovery taking so long?
The answer to this question lies in a combination of technical complexity, systemic oversight, and an industry-wide lag in adopting proactive cyber security and compliance practices. M&S, like many organisations before it, is learning the hard way that the real challenge in cyber security isn’t just preventing a breach, it’s how to recover from one.
The Anatomy of the Attack
Whilst we’ve already covered the specific details of the attack in a previous article, we’ll go over it again briefly as it helps paint a full picture. The cyber attack on M&S was orchestrated by the group known as Scattered Spider, who used the ‘DragonForce’ ransomware to encrypt crucial systems and files. The attackers used social engineering techniques to gain access via a third party supplier. The boss of M&S explained that the attack was due to “human error” and explained that “We [M&S] has to be lucky every day, the threat actors only have to be lucky once.” This breach led to the exfiltration of sensitive customer data, including names, contact information, and order histories of customers.
The attack also forced M&S to suspend online clothing sales, disrupted food supplies, and led to a significant data breach. The company’s website continues to go down for an extended periods, with overall disruptions expecting to continue until July.
The Fallout and Recovery Efforts
The immediate impact from the attack was severe. M&S projected a £300 million hit to its operating profit for the 2025/26 fiscal year thanks to the breach, and its share price has fallen by 13% since the incident, wiping over £1 billion from its market capitalisation.
For an organisation the size of M&S, recovering from a major cyberattack is not as simple as restoring a backup or unlocking a few encrypted files. It is a multi-layered, time-intensive effort that affects every corner of the business. While news headlines often focus on the breach itself, it's the recovery phase where many businesses suffer the most sustained disruption.
The first challenge is the sheer scale and complexity of modern IT infrastructure. M&S reported having to rebuild and review over 600 applications and thousands of servers. These are not simple, standalone systems; they’re interlinked, cloud-based or legacy systems that have been threaded across multiple departments like supply chain, HR, and finance. Before any system can be brought back online, it must be checked for integrity, cleaned of any suspected malware, and validated against known good configurations. For smaller businesses this process alone can take weeks, but for an organisation such as M&S, it will likely stretch to months, especially if documentation prior to the incident is incomplete, or security controls weren’t carefully monitored beforehand.
Secondly, when ransomware is involved, as it was in this case with ‘DragonForce’, trust in every system is effectively reset to zero. IT teams must assume that anything connected to the network could be compromised. That includes applications, services, authentication tools, user devices, and even backup systems. If backups were connected during the breach or not stored securely, they may also be compromised, delaying or even eradicating their usefulness. This creates an environment where recovery becomes a painstaking process of checking and re-checking, rather than a simple restoration from a fixed point in time.
Then there’s the matter of data integrity and legal obligations. With customer data exfiltrated, M&S must now coordinate forensic investigations, notify affected individuals, and potentially comply with regulatory investigations and penalties under UK GDPR. These legal obligations further delay system restoration, as teams must ensure that evidence is preserved and that sensitive systems remain isolated while being investigated. At the same time, public trust must be managed delicately, as any rush to resume normal operations without proper diligence could amplify damage to their reputation
Lastly, there’s the human factor. A cyber attack of this scale puts massive strain on IT teams, business continuity staff, legal departments, and customer support. Employees are likely working overtime, often under pressure from customers, executives, media, and regulators, potentially leading to more errors, burnout, or further operational delays.
How OneClickComply Helps Improve Security
OneClickComply can improve an organisation’s security by automating the remediation of non-compliant settings, ensuring that businesses remain protected and compliant with various standards and regulations at all times. Our platform continuously monitors your environment, checks for compliance with key controls, and allows you to fix any identified issues in a single click.
OneClickComply also helps businesses manage the risks associated with third-party vendors, automating the due diligence process and enabling constant oversight and awareness of the threats facing your business by third-parties.
OneClickComply enables businesses to maintain continuous compliance at all times, and reduces the manual work required down to a click. Even aspects of compliance such as policy writing and penetration testing can be conducted automatically through the platform.
Final Thoughts
The attack on M&S serves as a harsh reminder that no organisation is immune to cyber threats. Even well-resourced companies with strong financials can fall victim to sophisticated attacks, especially when third-party vendors are involved.
Proactive cybersecurity measures, continuous compliance, and robust vendor risk management are essential in today's digital landscape. Platforms like OneClickComply provide the tools necessary to automate these processes, reduce risk, and ensure that businesses are prepared to face the evolving threat landscape.
Investing in such solutions is not just about compliance; it's about resilience and the ability to protect your business’ reputation, operations, and bottom line.
