In April 2025, Marks and Spencer (photo by Mark Rowe: cash in transit van outside M&S in Nottingham) suffered one of the most disruptive cyber attacks in UK history. The IT business continuity (BC) and disaster recovery services firm Databarracks‘ Resilience Director, Chris Butler, and Deputy Resilience Director, the BC trainer Charlie Maclean-Bristol, outline six key lessons.
What happened?
The attack on M&S began with social engineering rather than a technical exploit. The attackers are reported to have gained access via a third-party IT service desk, before moving laterally across the environment.
M&S took core systems offline to contain the threat. Online sales were suspended for 46 days, while Click & Collect remained disrupted well beyond that. Stores stayed open, but parts of the operation had to fall back on manual workarounds, with stock availability and logistics hit hard. The attack is estimated to have cost M&S around ยฃ300m, with ยฃ100m offset through insurance.
The attack coincided with a similar incident at Co-op, later classified by the National Cyber Security Centre as part of a single combined cyber event. The outcomes, however, were very different, with Co-opโs segmented architecture limiting the blast radius and allowing it to keep core services online.
Lesson 1: insurance is part of your resilience strategy
Cyber insurance proved its value for M&S, not just financially, but operationally. Charlie Maclean-Bristol: โM&S recovered around ยฃ100 million through insurance against a widely reported ยฃ300 million impact. That alone shows its value. But insurance also gives you immediate access to specialist support: technical, legal and PR. The last thing you want in a crisis is scrambling to find help. You need to be clear what your policy covers, what it doesnโt, and what support you can call on when an incident occurs.โ
Lesson 2: Identity is the front door โ and service desks are a weak point
In the M&S attack, the attackers didnโt break through technical defences. They used social engineering to get legitimate access.
Chris Butler: โIdentity needs to be treated as the main security boundary. Stronger procedures, verification checks and controls around privileged access are essential, especially for high-risk actions.Service desks are vulnerable to social engineering attacks because theyโre under constant pressure to resolve issues quickly. That creates a trade-off between speed and security, and attackers exploit it.โ
Charlie Maclean-Bristol: โWe need the same level of training for social engineering as we have for phishing. Everyone knows not to click a suspicious link. The same awareness needs to apply to someone asking for access. It doesnโt matter how high your castle walls are if attackers can simply call the gatekeeper and be let in. Staff need both the awareness and the confidence to follow process, even under pressure.โ
Lesson 3: Treat third-party risk as a core resilience issue
Around 30 per cent of breaches now originate through third parties (Verizon: 2025 Data Breach Investigations Report), and the M&S attack followed that pattern.
Chris Butler: โSupplier resilience is part of your resilience, not someone elseโs problem. For large organisations with hundreds or thousands of suppliers, this becomes a practical challenge. You canโt tightly control everything, so the key is prioritisation. Focus on those with access to critical systems and data and make sure your strongest controls apply there. This goes beyond questionnaires. You need visibility of third-party access, clear accountability in contracts and confidence that suppliers are applying the same identity and security controls as your own teams.โ
Lesson 4: Test and exercise your response frequently
Testing and exercising materially improves outcomes.
As Rob Elsey, Chief Digital and Information Officer at the Co-op, told Parliament: โWe had war gamed this precise scenario as a leadership team before, so the board itself was very well prepared for who would take what role. That definitely paid dividends through the crisis.โ
Chris Butler: โExercises need to be realistic and frequent. Too often theyโre not demanding enough or donโt reflect the pressure of a real incident. Research shows that after around six months response capability starts to decline. That should be the minimum interval between exercises.โ
Charlie Maclean-Bristol: โI am sure that M&S must have exercised their response, but I suspect the challenge they faced was far more extreme than anything they had practised. Thatโs common. Organisations often avoid โArmageddonโ scenarios because they feel too extreme. But itโs something that organisations would benefit from testing. If everything goes down, what do you do? Without practising that, you wonโt be ready for these kinds of existential threats.โ
Lesson 5: Segment systems to limit impact
Once attackers are inside, the question is how far they can move. Containment is what separates an incident from a crisis.
Charlie Maclean-Bristol: โOne of the key lessons here is that you need to limit how far attackers can move. Thereโs a clear contrast between what happened at M&S and what happened at Co-op, who faced the same threat. Co-op appears to have contained the attackers more effectively, which meant they were able to keep systems running and recover more quickly. M&S, by contrast, experienced much more widespread disruption.โ
Chris Butler: โIt makes sense to assume attackers will gain access and design for containment through segmentation. If they reach your Active Directory, theyโve got your crown jewels. Without segmentation, they can move laterally very quickly.โ
Lesson 6: Backups are the foundation of recovery
Recovery from a cyber attack ultimately depends on whether you can restore safely and quickly.
Chris Butler: Back-ups are your route back, and attackers know that too. Thatโs why they target them. They need to be immutable and effectively air-gapped, so they canโt be tampered with. You also need to be able to restore into an environment you know is clean. If you canโt trust your back-ups, recovery becomes much slower and far more uncertain.โ
Charlie Maclean-Bristol: โIf attackers can get to both your main systems and your backups, youโre in real trouble. Youโre rebuilding from scratch, and thatโs massively disruptive. Thatโs why backups need to be immutable, air-gapped and regularly tested. You also need to know how long recovery will take, and what youโd need to spend to reduce the downtime. That trade-off between cost and recovery speed is a business decision, not just a technical one.โ
Closing
Chris Butler: โM&Sโs strong financial position and reputation as a trusted, โcore British brandโ helped it survive the incident. Not many organisations could absorb a disruption costing ยฃ3.5m a day.The lesson for others, particularly in retail, is how little it takes. Attackers only need to succeed once, and the damage can run into hundreds of millions.Retail will remain a target. With fine margins and daily revenue at stake, even short periods of downtime are immediately costly, so the focus has to be on limiting impact and being ready to recover.โ
Charlie Maclean-Bristol: โThereโs a lot you can point to in hindsight โ segmentation, exercising, awareness of the social engineering threat โ but itโs also important to recognise the response. Ultimately, M&S managed the recovery successfully. They kept stores trading, communicated fairly well with customers and didnโt promise things they couldnโt do. That meant they avoided the kind of reputational damage weโve seen with other cyber attacks.
This was possible in part because M&S went into the incident from a position of strength, with a healthy balance sheet and a trusted brand. Customers were willing to cut them some slack on it. Not every organisation would have survived this. A smaller business, or even M&S itself a decade ago, might not have made it through. Strong brands get the benefit of the doubt, and that can make all the difference in a crisis.โ
The takeawaysย
M&S used the incident as a catalyst for change, accelerating its technology transformation and resilience agenda.
The lessons for other UK businesses: stronger control of identity, tighter management of third-party access, greater awareness of social engineering risks โ particularly in service desks, segmented systems to limit impact, robust back-up and recovery capability, and a business prepared to operate through disruption, supported by regularly tested and exercised response plans.
