30 April 2025

This is not just a cyber-attack….this is an M&S cyber attack

By Jess Pembroke, Director of Information Law Services 

On Friday, 25 April, Marks & Spencer (M&S) suspended online orders via its UK & Ireland websites and apps, as well as some M&S International operated websites, as part of its “proactive management” of a cyber incident. The retailer stated, “Our Experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping”.[1]

In the week following the cyber incident, M&S paused click-and-collect orders after customers were left unable to use contactless payments or click-and-collect services over the Bank holiday weekend. Additionally, work-from-home staff were locked out of systems amid the fallout.

What was the impact?

Reputation: The disruption to M&S’s online services has been described as a ‘bruise’ to its reputation by analysts. Kate Hardcastle, consumer specialist…said the incident was “a bruise to M&S’s trusted brand image”. She said: “Customers expect a retailer like M&S to keep their data safe and services running, so an incident like this can shake confidence.”[2] This incident highlights the importance of maintaining robust cybersecurity measures to protect not only customer data but also brand integrity.

Share Price: The retailer’s share price slumped by almost £800 million as online orders were halted.[3]

Lost Revenue: The suspension of online operations, which are a significant revenue stream for M&S[4] may impact its income and profits.

Lasting impact on employee confidence and morale: The cyber-attack has led to significant disruptions, including “agency staff being told to stay home”[5]. The uncertainty and operational challenges posed by the cyber incident can have a lasting impact on employee trust and engagement.

What went wrong?

While the exact cause of the cyber-attack remains unclear, lessons from previous data breaches can give us an idea of what may have been the cause.

Lack of investment: Insufficient funding for cybersecurity measures can leave a company vulnerable to attacks. This includes not only hardware and software but also continuous updates and improvements to stay ahead of evolving threats.

Lack of prioritisation from senior management: Operating in an online space requires robust cybersecurity practices. It’s crucial for senior management to prioritise cybersecurity as a key component of their business strategy. The proactive management of the incident by M&S suggests that there is awareness at the top levels, but consistent prioritisation and integration of cybersecurity into all aspects of operations are essential.

Older systems and segmentation: Cybersecurity experts have said the move to suspend online operations was likely made to prevent the attack from spreading throughout M&S’s IT infrastructure.[6] Older systems can be more susceptible to breaches, and without proper segmentation, an attack can quickly escalate.

Training and awareness: Ensuring staff are well-trained and aware of cybersecurity protocols is crucial. Effective training programs can help employees recognise and respond to potential threats. Training and awareness initiatives for all staff members are vital to build a resilient cybersecurity culture. There is some excellent free training here: Top tips for staff – Overview from the National Cyber Security Centre (NCSC).

Conclusion

The incident at Marks & Spencer (M&S) has highlighted the critical importance of robust cybersecurity measures for any business. The disruption to online services, the impact on reputation, share price, and employee morale, all highlight the far-reaching consequences of such attacks. While M&S’s can be seen to be proactively managing of the situation,[7] the long-term damage and ultimate costs remain to be seen.

Learn to Implement These Best Practices with Naomi Korn Associates

Are you looking for training which will equip you with the skills to handle data breaches with confidence? Invest in your information security skills today with our Information Security and Data Breach Management course, next running 10 June 2025, 9:30am-1pm. For more information and to book your ticket now, visit the event page: https://www.eventbrite.co.uk/e/1038821231267

Each of our intermediate courses can be taken as an individual course or as part of our Intermediate Certificate (available in Copyright and in Data Protection).  Book any of our courses via our Online Training page or contact our Training Manager at info@naomikorn.com.

[1] Cyber attack forces M&S to stop taking orders online sending shares plummeting

[2] Marks & Spencer online disruption a ‘bruise’ to reputation, analyst says – BBC News

[3] M&S slumps by almost £800m as online orders halted for fourth day

[4] M&S suspends all online orders following cyber attack – Retail Gazette

[5] M&S: WFH staff locked out of systems amid cyber attack fallout – Retail Gazette

[6] M&S: WFH staff locked out of systems amid cyber attack fallout – Retail Gazette and CYBER INCIDENT – FURTHER UPDATE | Marks & Spencer

[7] CYBER INCIDENT – FURTHER UPDATE | Marks & Spencer

Recent News

29 April 2026

New Course Announcement: AI, Copyright and Cultural Heritage

read story
Mediamodifier via Unsplash
22 April 2026

Small Fine, Big Message: Is the ICO fining the public sector again?

read story
The Music Room, Gustav Pope, York Castle Museum, via ArtUK
15 April 2026

Understanding copyright in audio visual works

read story
Two merchants and a woman at a table; representing arithmetic. Etching by C. Schut after himself. Wellcome Collection.
9 April 2026

Reddit’s £14.47m Lesson: Complete a Data Protection Impact Assessment (DPIA)!

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading