Cyber Resilience in Retail: A Wake-Up Call from the M&S Incident
2 days ago
3 min read
0
14
0
For retail cyber resilience is now a frontline business imperative. The recent cyber attack on Marks & Spencer (M&S) is a stark reminder of how fragile digital ecosystems can be, and how quickly customer trust can evaporate when security fails.
The M&S Breach: A Case Study in Supply Chain Vulnerability
M&S was not directly breached by hackers. Instead, the entry point was a third-party supplier whose systems were compromised through sophisticated phishing and social engineering tactics. The attackers, identified as the cybercrime group Scattered Spider, manipulated supplier IT staff into resetting credentials, effectively handing over access to M&S’s digital infrastructure [1].
The fallout was severe:
£300 million in expected operating profit losses [1]
Over £750 million wiped from market value [5]
Online services suspended, including contactless payments and Click & Collect [2]
Customer data compromised, leading to an unprecedented class-action lawsuit [2]
This incident underscores a hard truth: Your cyber resilience is dependent upon critical suppliers who must protect themselves or risk your security.
Customer Fallout and Legal Repercussions
Beyond financial losses, M&S faced a reputational crisis. Over 350 customers joined a class-action lawsuit, citing distress, increased risk of scams, and time spent securing their accounts [2]. While M&S acted swiftly to contain the breach and communicate transparently, the damage to customer trust was already done.
Next’s Gain: A Competitive Advantage Born of Disruption
While M&S struggled to recover, rival retailer Next saw a surge in sales. In the second quarter of 2025, Next’s full-price sales jumped 10.5%, significantly outperforming expectations. The company attributed part of this growth to “trading disruption at a major competitor” a clear reference to M&S [3].
Next upgraded its annual profit forecast to £1.1 billion, marking its third upward revision in five months [3]. This highlights how cyber security lapses can not only harm the affected business but also shift market dynamics in favour of competitors. This last bit is important for decision makers to understand, M&S lost customers because of their cyber resilience posture. I hear far too often that cyber resilience doesn't equate to a competitive advantage, yes it does and Next are the beneficiaries of this 'advantage.'
Why Cyber security Must Be a Retail Priority
The M&S incident is not isolated. Retailers like Co-op and Harrods have also faced breaches recently [4]. Here’s why cyber resilience must be embedded into every retail strategy:
Retailers are prime targets: 24% of all cyber attacks target retail due to the volume of sensitive customer data [4].
AI-powered threats are rising: Attackers now use deepfakes, botnets, and machine learning to bypass traditional defences [4].
IoT vulnerabilities: Smart shelves and kiosks introduce new attack surfaces [4].
Regulatory pressure: GDPR and PCI DSS 4.0 demand strict compliance or risk hefty fines [4].
Customer trust is fragile: A single breach can deter over 60% of shoppers from returning [4].
Conclusion: Building Resilience Beyond the Firewall
Retailers must rethink cyber resilience as a shared responsibility across their supply chains. This means:
Enforcing multi-factor authentication
Conducting regular phishing simulations
Implementing network segmentation
Vetting and monitoring third-party vendors
Investing in incident response and recovery plans that include exercises and simulations.
The M&S breach is a cautionary tale but also we are seeing it as catalyst for customers looking to change and become resilient. In a digital-first retail world, cyber resilience isn’t just about protection; it’s about survival.
References
[1] What can I buy online at M&S since the hack?
[2] Next hikes outlook after sales boosted by weather and M&S woes
[3] Next raises profit outlook again after summer sales surge
