M&S: A Security Lesson Businesses aren't learning
This year, we witnessed a massive cyberattack on the popular UK retail giant M&S. I’d argue this has been one of the highest-impact security incidents to hit a major company in a long time. M&S online orders were down for six weeks, Click & Collect only resumed after fifteen weeks, and the financial hit was obvious. M&S reported a profit of just £3.4 million compared to last year’s bi-annual report of £391.9 million.
But even with this huge financial shock, the situation could’ve been much worse. The reality is that most businesses simply couldn’t survive being offline for 6–15 weeks. M&S is the exception, not the rule. Their strong brand reputation, diversified operations, and physical stores acted as a buffer. If a SaaS company endured a disruption of this scale, bankruptcy wouldn’t just be possible—it would be likely. Yet this isn’t being talked about enough, and I worry businesses aren't learning from it.
The Attack
In April 2025, M&S was hit with a major cyberattack that exposed a significant amount of customer data, including names, addresses, phone numbers, and order history.
Scattered Spider was identified as the group behind the attack. The breach is believed to have occurred through a third-party contractor from TATA, a large consultancy firm that was compromised. A ransomware attack triggered the entire disruption, carried out using DragonForce, a cybercrime-as-a-service platform.
Impact
- Online orders down for 6 weeks
- Click & Collect unavailable for 15 weeks
- Certain in-store products went out-of-stock for long periods
- Customer data was stolen
Analysis
I want to highlight how much worse this could have been. Fortunately for M&S, they had generated a 22.5% increase in revenue in the first half of their financial year. Without that boost, they would’ve been operating at a loss. If their reserves weren’t strong enough to cover that loss, they would have been forced to borrow just to fund day-to-day operations.
Add to that the risk of long-term reputational damage and declining sales, and the picture becomes even more dangerous. All of these factors combined could have pushed a billion-dollar company to collapse under financial pressure—taking billions in revenue, thousands of jobs, and significant economic activity down with it.
There’s also a misplaced confidence in cyber insurance. Many companies assume it will cover most, if not all, of their costs following an attack. But the M&S incident proves that’s far from true. M&S lost around £380 million in profit, and their cyber insurance is expected to cover only £100 million. That doesn’t account for increased premiums after the attack or the long-term brand damage.
Lessons
- Third-party supply chain attacks are rising fast. Compliance teams need to increase scrutiny. Vendors should be risk-scored based on alignment with the business’s risk appetite.
- Cybersecurity budgets must grow. Costs to defend and maintain uptime are increasing, and businesses can’t afford to be complacent.
Conclusion
Currently, only around 11% of IT budget goes toward cybersecurity. Is that enough? I’d argue it isn’t—or perhaps the spending simply isn’t being used efficiently. Because as long as attack rates remain high, the financial and reputational damage from breaches will only continue to grow and so to should the spending in cybersecurity, but I fear this isn't the case – but I'll discuss that in a later blog.
