By: Saskia Koopman
Tech Reporter
Marks and Spencer (M&S) has been grappling with a serious cyber attack that forced the retailer to suspend online orders, disrupted in-store operations, and blocked its remote staff from working on its system.
The decision by the FTSE 100 retail to shut down its website and app for almost a whole week has reflected the scale of the attack, which experts believe may be linked to ransomware.
The breach highlights the growing cyber risks for UK retailers, whose interconnected systems – ranging from payment processing to click-and-collect services – present multiple entry points for bad actors to take advantage of.
Malicious activity is likely to follow
Cyber experts have warned that in the wake of the attack, M&S customers could become targets of further malicious activity.
Robert Cottrill, technology director at digital transformation firm ANS, explained the heightened risk.
“In the aftermath of a cyber incident, we often see a spike in related malicious activity, as cyber criminals look to exploit the confusion and disruption”, he explained.
“Cyber attackers can take the opportunity to target M&S customers, for example, with scam emails, texts, or even phone calls that seek to steal valuable data and information”.
Cottrill also advised customers to stay vigilant: “Always be cautious of unsolicited contact, especially over the phone. Scammers can spoof number or even use AI to mimic voices.”
A growing target
The M&S breach underscores the vulnerability of retail IT infrastructure, which has become an increasingly attractive target for cyber criminals.
Ev Kontsevoy, chief executive of Teleport, told City AM that the complex nature of retail systems brings unique risks for the sector.
“Retail IT infrastructure today consists of many interconnected services, including not just contactless payments but also click-and-collect, gift card processing, which makes the infrastructure vulnerable to lateral movement across systems”, he said.
He also added that enforcing principals like ‘least privileged access’ is key to protecting retail systems.
“By default, nothing and nobody should have access to anything but the bare minimum resources needed to complete a specific task… they should only have access to that task for the duration it takes to complete it”.
Retailers must prioritise cyber security
Nathaniel Jones, vice president of security and AI strategy at Darktrace, commented on the potential scale of the attack, suggesting that “M&S taking systems offline suggests this is likely a ransomware-related incident.”
“It demonstrates how quickly cyber incidents can cripple retail operations across both digital and physical channels, and the suspension of online orders shows the cascading impact these attacks have on revenue streams”, Jones explained.
He stressed that retailers are prime targets due to their complex digital ecosystems: “M&S’s swift action to isolate affected systems shows appropriate crisis management, but this incident highlights why cyber security must be a fundamental business priority, not just an IT concern”.
Ransomware gangs often target firms like M&S with the goal of creating significant disruption, and forcing a quick payout.
Julius Cerniauskas, chief executive of Oxylabs, said that “by freezing critical systems, criminals create chaos for both customers and the business”, which affects orders, payments, and store operations.
“The greater the disruption, the greater the pressure on the company to pay the ransom”, he said.
While M&S has worked quickly to bring in cyber security experts and alert the National Cyber Security Centre (NCSC), Cerniausjas emphasised the ongoing importance of long term prevention.
“Preventing the situation from escalating further will depend on thorough system cleansing, patching vulnerabilities, and ensuring no back doors have been left behind by the attackers”.
Retailers learn a lesson
The cyber attack on M&S serves as an important case study for the retail sector, highlighting the urgency of strengthening digital resilience.
Dennis Martin, crisis management expert at Axians, commented on the growing threat of ransomware and the steps businesses should take to respond.
“Incidents like this serve as a reminder that cyber security is no longer just an IT concern, but a core operational risk. The swift action and transparency shown by M&S is exactly the kind of leadership we need to see more of across the industry”, he said.
He added that the key to managing future threats in resilience: “What is crucial now is learning from this, ensuring systems and operational processes are resilient, communications are clear and contingency plans are in place”.
As UK businesses increasingly rely on interconnected systems for their operations, experts advise businesses to implement robust cyber defence to safeguard personal data.
Nick Dyer, a security expert from Arctic Wolf, discussed how organisations can better prepare.
He told City AM: “The majority of cyber attacks like this are carried out by professional cyber gangs looking for a quick payout. They can exploit holes in organisations’ defences and know how to remain silent and hide their tracks”.
“It is also important to remember that no business is 100 per cent immune from cyber incidents”, he added, “so other retailers should take learnings from this incident”.
As the M&S incident unfolds, the retailer assured customers that no card details were compromised and that no further action is required on their part.
With the UK government preparing to roll out new cyber security regulations, namely the cyber security and resilience bill, businesses across all sectors must heed the lessons of M&S’s experience.
