What could have saved M&S?
Before Easter 2025, the name “Marks & Spencer” conjured images of luxury food items, tasteful clothing basics, and iconic TV adverts. But now? The brand has become synonymous with “cyber attack”, having lost an estimated £300 million (and counting) after a severe breach derailed their online systems and caused loyal customers to search for more reliable alternatives.
While we don’t know much for certain, the past few weeks have left fellow business owners wondering how such an attack could have happened in the first place – and whether they’ll be targeted next.
What happened?
Chief Executive Officer, Stuart Machin, has so far confirmed that cyber criminals were able to access M&S’s systems using social engineering tactics via a third-party supplier. He hasn’t been specific, but this could mean that an unlucky member of staff fell for a suspicious link or was perhaps tricked into revealing a password. A number of hacking groups – like Scattered Spider and DragonForce – have apparently been linked to the incident.
What Machin has said, however, is that this attack came as a result of “human error” and not a weakness in their own cyber security system – but some experts are not so sure…
Legacy systems failed
While a single individual may have been the hackers’ way in, it’s clear that M&S’s legacy systems failed to stop the attack before it did irreversible damage. That much is evidenced by the company’s recently announced digital transformation plans – initially set over a two-year period, this overhaul has been fast-tracked with an updated six-month timeframe.
The attack highlights the importance of upgrading your legacy systems to match cyber threats as they evolve, rather than let them gather dust. This might not have saved M&S by itself, but it could have given them a better chance at minimising the consequences.
Slow incident response
A key area in which M&S’s legacy systems failed was incident response time. “A company needs to know immediately if and when they’ve been compromised and to be able to take action in a number of minutes,” says ICAEW Faculty Board member Daniel Teacher. “With M&S, they were in the system for days before it was detected.”
This gave the hackers ample time to spread their reach, stealing as much data as they possibly could and crippling IT systems with little resistance.
Third-party risks
M&S have not publicised the name of the third-party firm who initially let the hackers through. However, this does shine an important light on the risk posed by working with an organisation without conducting necessary safety and cyber security checks – whether that’s an accounting firm that has access to employee bank details and National Insurance numbers or a partner agency you share an open-source email server with.
Sly social engineering
Thankfully, the dust is beginning to settle for M&S, with the company re-opening their ecommerce website to customers and resuming normal operations six weeks after the initial attack. But it’s clear that robust insurance coverage and overhauled security systems won’t be enough to stop an attack like this in future, especially if hackers are clever about using social engineering tactics.
Employees need to be more eagle-eyed than ever when it comes to spotting fishy emails, dodgy links, and would-be impersonators – because modern cyber threats may not be as obvious as, “Click hear to claim you’re $50,000 prize!1!”.
Fasthosts: Your cyber security partner
Cyber attacks are growing increasingly frequent – and the trend doesn’t show any sign of slowing down. Now is the time to start taking proactive measures against cyber criminals… but you don’t have to work alone.
Fasthosts offers a number of different web hosting packages, each of which come with 24/7 expert support from our hands-on customer team. And if you want to go the extra mile when it comes to safeguarding your business, we offer a full Cyber Protect package powered by Acronis. Get in touch to chat about your needs today.