Marks & Spencer has at last resumed online orders more than six weeks after it was crippled by a cyber-attack.
The attack started in April, disrupting online operations, contactless payments, and supply chain logistics. It was attributed to the Scattered Spider hacking group, targeted M&S’s third-party payroll provider, exposing customer data and causing widespread operational failures.
The breach forced M&S to halt online orders, leaving shelves empty in some stores and delaying deliveries. Customers were warned to remain vigilant as personal data had been compromised.
Impact
- £300 million in lost operating profit for the fiscal year ending March 2026
- More than £1.3bn was wiped off its market valuation in the days after it first admitted it had been battling a cyber incident, with shares dropping by as much as 15pc
- Disruptions to automated stock systems, forcing M&S to revert to manual inventory management
- Legal claims from affected customers, with compensation lawsuits underway.
Lessons Learned
- Cybersecurity Must Extend Beyond IT Systems – Retailers often focus on preventing breaches, but incident response is equally crucial. Businesses must have end-to-end cybersecurity strategies, including third-party risk management.
- Supply Chain Security is Business-Critical – The attack exploited vulnerabilities in M&S’s logistics partner, demonstrating that supplier security is just as important as internal protections. Companies must ensure third-party vendors adhere to strict cybersecurity standards.
- Cyber Insurance is a safety net, not a solution – While M&S expects insurance to cover some losses, the attack still caused long-term reputational damage and operational disruptions. Businesses must invest in proactive cybersecurity measures rather than relying solely on insurance.
- Employee Awareness is Key – Companies should train employees to recognise cyber threats, ensuring they don’t inadvertently compromise security.
The M&S cyber-attack serves as a wake-up call for all businesses worldwide. Cyber threats are evolving, and companies must prioritise cybersecurity and strengthen supply chain protections. If it can happen to one of the biggest brands in the world, then it could happen to anyone.
