One Year on From the M&S Cyber Attack: What Did We Learn?

The 2025 Easter weekend outage at Marks & Spencer was more than a technical glitch; it was a textbook case of social engineering that leveraged a third‑party service desk to reset passwords and unlock a ransomware payload. Within days, the retailer’s online shop, click‑and‑collect, and in‑store payment systems were down, costing millions in lost sales and prompting a cascade of attacks on other UK retailers, including the high‑profile Jaguar Land Rover breach. The incident underscored the vulnerability of retail supply chains, where thin margins and high staff turnover often leave security under‑invested, and it forced the industry to confront the reality that a single phone call can open the door to “hundreds of millions of pounds” in damage.

Security experts say the M&S case has reshaped defensive playbooks. Red‑team firms now embed help‑desk impersonation and vishing simulations into 80 % of post‑breach assessments, emphasizing verification culture over tool stacking. Huntress and Check Point note that attackers now blend email, SMS, and Microsoft Teams to build trust before striking, making single‑vector defenses obsolete. The lesson for retailers is clear: robust identity‑verification processes, continuous post‑authentication monitoring, and a holistic view of third‑party risk are essential to stop the breach, not just the break‑in.

Boardrooms and regulators have taken notice. The National Cyber Security Centre logged 204 nationally significant attacks between September 2024 and September 2025, more than double the previous year, prompting the UK government to allocate roughly $260 million for a centralized cyber unit and fast‑track the Cyber Security and Resilience Bill. As cyber risk becomes a C‑suite agenda, retailers that transparently assess and remediate vendor gaps will likely emerge stronger, while those that ignore the human element risk repeated disruption and costly class‑action scams that followed the original breach.