Loading profile data...

Loading profile data...

Learn somethingCyber resilience: A wake-up call from the M&S incident
BLOG

Cyber resilience: A wake-up call from the M&S incident

Cyber resilience: A wake-up call from the M&S incident
Jack Marley
Jack MarleyP3M Works

Posted: Thu 25th Sep 2025

5 min read

For retail, cyber resilience is now a frontline business imperative.

This year's cyber attack on Marks & Spencer (M&S) is a stark reminder of how fragile digital ecosystems can be, and how quickly customers' trust can evaporate when security fails.

The M&S breach: A case study in vulnerable supply chains

Hackers didn't breach M&S directly. Instead, the entry point was a third-party supplier whose systems were compromised through sophisticated phishing and social engineering tactics.

The attackers – identified as the cyber-crime group Scattered Spider – manipulated the supplier's IT staff into resetting credentials, which effectively handed over access to M&S's digital infrastructure.

The fallout was severe:

This incident underscores a hard truth: your cyber resilience depends on critical suppliers who must protect themselves – or risk your security.

Customer fallout and legal repercussions

Beyond financial losses, M&S faced a crisis in terms of harm to its reputation. Over 350 customers joined a class-action lawsuit, citing distress, an increased risk of scams and time spent securing their accounts.

While M&S acted swiftly to contain the breach and communicate transparently, the damage to customers' trust was already done.

How Next gained a competitive advantage born of disruption

While M&S struggled to recover, rival retailer Next saw a surge in sales. In the second quarter of 2025, Next's full-price sales jumped 10.5%, significantly outperforming expectations.

The company attributed part of this growth to "trading disruption at a major competitor" – a clear reference to M&S.

Next upgraded its annual profit forecast to £1.1 billion, marking its third upward revision in five months. This highlights how cyber security lapses can not only harm the affected business but also shift market dynamics in favour of competitors.

This last bit is important for decision-makers to understand. M&S lost customers because of its cyber resilience posture. I hear far too often that cyber resilience doesn't equate to a competitive advantage – it absolutely does and, in this case, Next was the main beneficiary.

Why cyber security must be a retail priority

The M&S incident is not isolated. Retailers like Co-op and Harrods have also faced breaches in 2025. Here's why all retail businesses, no matter what their size, must build cyber resilience into every strategy:

  1. Retailers are prime targets: 24% of all cyber attacks target retail due to the volume of sensitive customer data the companies tend to hold.

  2. AI-powered threats are rising: Attackers now use deepfakes, botnets and machine learning to bypass traditional defences.

  3. Internet of Things (IoT) vulnerabilities: Smart shelves and kiosks introduce new ways to attack.

  4. Regulatory pressure: GDPR and PCI DSS 4.0 demand companies comply strictly with the rules, or risk being landed with hefty fines.

  5. Customer trust is fragile: A single breach can deter over 60% of shoppers from returning.

Conclusion

As a retailer, you must rethink cyber resilience as a shared responsibility across your supply chains. This means:

  • enforcing multi-factor authentication (MFA)

  • conducting regular phishing simulations

  • putting network segmentation in place

  • vetting and monitoring third-party vendors

  • investing in incident response and recovery plans that include exercises and simulations

A lot of this can be technical, so contact the P3M Works team to learn how we can help you with your cyber resilience. We have a depth of experience across many different industries.

The M&S breach is a cautionary tale, but we can also see it as a catalyst for businesses to change and become resilient. In a digital-first retail world, cyber resilience is no longer about protection only. It's now a case of survival.

People also read

Jack Marley
Jack MarleyP3M Works
I didn’t set out to build a consultancy.What I set out to do was solve a problem. Organisations who thought they were resilient… until the day came when they weren’t.Working inside government and defence has taught me what resilience really looks like. It’s not a document on a shelf. It’s not a framework that nobody reads. It’s the ability to keep going when the unexpected happens, without losing your head, your people, or your business.That’s why I started P3M Works.I wanted to take the discipline, structure, and clarity of national-level programmes and make it accessible to organisations who don’t have limitless budgets or armies of staff. To show leaders that resilience is less about buying another tool and more about building a culture that can adapt, absorb, and recover.Today. P3M helps businesses, scale-ups, and public-sector teams build resilience into their DNA. Our flagship Resilience as a Service (RaaS) model, gives businesses the confidence to grow, take risks, and be prepared for today's most sophisticated threats.

Get business support right to your inbox

Subscribe to our newsletter to receive business tips, learn about new funding programmes, join upcoming events, take e-learning courses, and more.

Start your business journey today

Take the first step to successfully starting and growing your business.

Join for free