Publish date: 14.05.25

After weeks of disruption, Marks & Spencer has now confirmed that personal customer data was accessed by attackers, identified as the Scattered Spider hacking group. While payment details, card information, and account passwords remain secure according to the retailer, the breach underscores the severity and evolving nature of cyber threats to UK businesses – from SMEs to household names.

From Disruption to Data Exposure

In the early days of the attack, headlines focused on the immediate impact to operations: retail opps paused, online orders halted, and stock shortages sweeping across stores. But as any cyber professional knows, the full extent of a breach rarely becomes clear overnight and is still playing out today. Now, almost a month on, M&S has acknowledged that personal data was compromised. Customers will be prompted to reset their passwords on their next login — a precautionary measure as investigations continue. Though there’s no evidence yet that the data has been sold or shared, reputational damage and customer anxiety are inevitable.

Communication Breakdown

One of the more telling developments from the attack has been the communication fallout inside M&S. With internal systems down, employees resorted to using personal WhatsApp accounts to manage day-to-day operations — a workaround that may be pragmatic, but fraught with its own risks.

It’s a stark reminder: business continuity planning must account for the complete loss of internal communications. Too often, simulation exercises assume partial outages or isolated impacts to individual teams or areas of the business. Few scenarios test for a situation where all conventional systems — email, intranet, scheduling platforms — are offline. This gap in preparedness can leave even the most prepared teams scrambling.

Organisations that invest in ‘out-of-band communication systems’ as part of incident response may face slightly higher costs up front, but in the context of a major breach, the return on that investment becomes clear. Keeping teams connected securely and reliably during a crisis is absolutely critical.

What This May Mean for Customers

While the initial communications from M&S aimed to reassure, the confirmation of a data breach puts the onus squarely on customers to stay vigilant. Under the UK GDPR, M&S is required to notify those affected given the severity of the breach. But this window of uncertainty is a prime opportunity for opportunistic scammers posing as M&S representatives.

Customers should be extremely cautious of cold calls, texts, or emails claiming to offer assistance or compensation. Phishing campaigns often piggyback on high-profile breaches, using fear and confusion to harvest further credentials.

M&S has issued guidance to help customers stay safe online — a move that’s both responsible and necessary. But a lingering question remains: how much long-term damage will this do to customer trust?

The Cost of Recovery

Behind the scenes, the financial toll is mounting. Analysts estimate that for every 10% of food products M&S cannot sell due to supply chain disruption, the retailer may be losing up to £15 million in revenue. With a ransom demand reportedly reaching up to £10 million, speculation continues around whether M&S will — or already has — made plans to pay this ransom.

In public, CEO Stuart Machin has maintained a calm and cooperative tone, thanking customers and staff for their support and assuring that teams are “working around the clock” to restore services. But restoring operations is only half the battle. Rebuilding confidence — among customers, partners, and shareholders — will take longer.

Lessons for the Retail Sector

The M&S breach is a prime example of how no organisation is immune — not even those with well-respected Business Continuity and Incident Response teams. It’s a lesson that planning must go beyond containment to consider the full spectrum of consequences: from operational paralysis to public relations, from legal obligations to long-term brand damage.

Cyber resilience isn’t just about technology. It’s about culture, communication, and continuity under public pressure.

For retailers and other large organisations watching from the sidelines, now is the time to reassess response strategies. Because when the next attack comes — and it will — the first few hours will define everything that follows.

Get in touch today to see how we can help you to eliminate loss, theft, or exfiltration of business-critical data, or find out more: https://www.xeretec.co.uk/cyber-security/data-loss-prevention/