The recent cyberattack on retail giant Marks & Spencer (M&S) sent ripples of concern across the UK and beyond. While the immediate disruption to business operations—crippling online ordering and causing significant reputational damage—grabbed headlines, the subsequent revelation that customer data, including telephone numbers, home addresses, and dates of birth, had been compromised has amplified anxieties.
Industry experts are dissecting the attack, offering insights into the potential causes, the implications for both M&S and its customers, and crucially, the lessons that other organizations can learn to bolster their own cyber defenses.
Intelligent CISO spoke with three leading figures in the field: Adam Blake, CEO and Founder of ThreatSpike; Spencer Starkey, Executive VP EMEA of SonicWall; and Tim Grieveson, Chief Security Officer & EVP Information Security at ThingsRecon. Their perspectives offer a comprehensive analysis of the incident, moving beyond sensationalism to provide actionable insights for businesses navigating an increasingly perilous digital world.
More than just data theft
Adam Blake of ThreatSpike offers a contrarian yet crucial perspective on the M&S incident, urging a shift in focus from the often-overstated threat of leaked personal data to the more immediate and impactful consequences for business continuity and reputation. “There’s a lot of frustrating rhetoric and misunderstanding circulating about major cyber incidents impacting retailers like M&S. Most significantly, what the actual threat to the company and its customers really is. The truth is, by this point, consumers’ data has almost certainly leaked dozens of times in the last decade—names, phone numbers, dates of birth, and more. The data itself is not actually that valuable to anyone. Both M&S and the threat group know this, and there’s no actual indication the data has been shared yet with anyone,” he notes.
Blake emphasizes that the primary objective of the attackers lies in disrupting operations and causing reputational fallout. “The main damage was to business continuity, wiping out M&S’ ability to take orders and incurring massive reputational damage. Most companies hope to get their systems back up in five to 10 days, but the disruption in this case has persisted for weeks. The subsequent fallout will be severe. People will ask questions: Why was everything so reliant on on-prem IT? Why was there no business continuity? How did they pass their compliance audits?”
He suggests that the ransom demand is intrinsically linked to reputational damage. “The threat group will expect M&S to pay the ransom to mitigate further reputational damage. This is how the group will make its money and there’s incentive for M&S to negotiate payment in the background—even though they shouldn’t—if only to be able to say they did everything they could to protect people’s data. The optics matter. The more systematic you make these incidents, the scarier they are, and the more likely it is that the next big brand victim will pay the ransom—not because of any legitimate damage, but because nobody wants to be accused of not doing everything they possibly could to protect customer data.”
Navigating the regulatory minefield: The cost of non-compliance
While the operational and reputational impact is significant, the regulatory implications of the M&S breach cannot be understated. Spencer Starkey, Executive Vice President EMEA of SonicWall, highlights the potential financial penalties M&S could face. “M&S has taken the right first step by self-reporting to the ICO and NCSC. However, regulatory exposure remains. Under UK GDPR, failure to protect personal data or report breaches promptly can lead to fines up to £17.5 million or 4% of global turnover. If M&S handles EU customer data, it may also fall under the NIS2 Directive, which carries additional fines of up to 10 million euros.”
He adds that penalties often depend on how swiftly and transparently an organization responds—and whether robust cyber-resilience measures were in place before the breach. “While M&S is actively working to resolve the issue with the assistance of cybersecurity experts and national authorities, there is currently no definitive timeline for full recovery. The complexity of the attack, involving encrypted systems and potential data breaches, suggests that restoration of all services could take several days or even weeks. At SonicWall, we saw organizations under critical attack for an average of 68 days in 2024, highlighting the potential for prolonged recovery periods following sophisticated cyberattacks.”
The enduring risk to customers: beyond financial loss
While M&S has indicated that sensitive financial and password data were not compromised, Tim Grieveson of ThingsRecon cautions against complacency. “It is noted that M&S is indicating a lower risk due to the exclusion of sensitive financial and password data. However, in my opinion, it does not mean that customers are not at risk even when these specific details are not compromised,” he states. “As we know, these scams are on the rise and might try to convince customers into revealing passwords, financial details, or clicking on malicious links. Email addresses and other contact information could also be sold to spammers or other malicious actors, leading to an increase in unsolicited emails, calls, or texts.”
Grieveson highlights the importance of proactive security measures, even when the immediate threat appears limited. “M&S has stated that customers will be prompted to reset their password the next time they log in as an ‘extra peace of mind’ measure. While this isn’t a direct result of passwords being stolen, it’s a good security practice to ensure existing credentials aren’t compromised by other means or used in credential stuffing attacks where attackers try stolen username/password combinations from other breaches.”
He offers practical advice for consumers following the breach, stating, “While M&S’s assessment that customers don’t need to take immediate action is based on the understanding that payment details and passwords were not compromised, which reduces immediate financial risks, it’s important to remain vigilant after any data breach.” He further advises customers to:
- Remain Alert of suspicious communications: Be cautious of any emails, calls, or texts claiming to be from M&S or other companies, especially if they ask for personal or financial information, or contain uncertain links.
- Use strong, unique passwords: Consider changing passwords immediately to maintain secure access. Using unique and strong passwords for all online accounts is encouraged. If you’ve reused your M&S password on other sites, consider changing them all as well.
- Enable Two-Factor Authentication (2FA): Always apply 2FA for your accounts where available. This adds an extra layer of security and makes it harder for attackers to gain access to sensitive systems.
- Monitor your accounts: Regularly check your online accounts for any unusual activity.
He concludes, “While the risk is indeed lower than a breach involving payment or password details, it’s not entirely absent. Staying informed and practicing good online security habits is always the best defense, along with being alert and maintaining good digital hygiene.”
Adam Casey, Director of Cybersecurity & CISO at Qodea, remarks that while cyber insurance is a good starting point, it’s not a cure-all solution to such breaches. “Cyber insurance is a good safety net, but it isn’t a panacea replacing the need for solid cyber defenses. Insurance absorbs some of the financial shock from lost sales, but what it can’t restore is the erosion of customer trust, reputational damage, and regulatory fines that can emerge from a significant attack.”
This underscores the critical importance of comprehensive risk assessments, Business Impact Analyses (BIAs), properly tested Business Continuity and Disaster Recovery (BCDR), and Incident Response plans. “A claim of this scale will attract intense scrutiny from insurers. Claims handlers will focus on whether required security controls were active, how end-of-life systems were managed, and the level of cyber training employees received. Any hint of non-compliance or negligence could reduce the payout or have it denied altogether.”
He adds, “Filing an insurance claim doesn’t necessarily signal a refusal to pay the ransom. However, non-payment of ransom often happens because payment sets a dangerous precedent that might encourage further attacks and lead to escalating demands. The decision to notify customers about personal data being impacted often aligns with transparency and fallout management, rather than surrendering to demands.”
A reset for the industry?
Ultimately, the M&S cyber attack should act as a catalyst for organizations to re-evaluate their cybersecurity strategies, moving beyond fragmented solutions toward integrated platforms, fostering a culture of security awareness, and investing in the talent and technologies necessary to navigate an increasingly complex and hostile digital landscape. The cost of inaction, as M&S is currently experiencing, far outweighs the investment in building true cyber resilience.
