We have often made the case that Information Security should be a board level item that is clearly distinct from Information Technology.
If there was any doubt about this, the latest cyberattacks on Marks & Spencer certainly contain underpinnings we can all take a cue from. As a management consultant, I live on the field and have seen firsthand the increasing threat of cyberattacks. The recent incident at M&S serves as a critical example for all organisations, demonstrating the immediate and the lasting effects of a security breach.
The cyberattack was a sophisticated assault that significantly disrupted their operations and finances. It’s attributed to groups like Scattered Spider and DragonForce who are interested in financial gain, but equally want to bask in the glory of claiming the breach.
The financial impact on M&S has been considerable. The company anticipates a reduction of approximately £300 million (about $400 million USD) from its 2025 and 2026 operating profit. This highlights the substantial financial burden a cyber incident can impose. The attack led to widespread operational challenges, including a temporary halt to online shopping and disruptions to food sales and logistics due to system outages, leading to increased waste and expenses. The company’s market value also saw a significant drop, reflecting investor concern.
Customer loyalty appears to have largely remained intact. We all love Marks and Spencer, and coming from an Anglo-Saxon background myself, I can understand there is no way I’ll be buying my socks from elsewhere. That said, there was public frustration due to the inability to place online orders and product availability issues.
The theft of personal customer data, such as names, addresses, and order history, naturally raised concerns. Although M&S confirmed that no usable payment details or passwords were stolen, experts warned that even seemingly harmless data could be used for targeted phishing. The company’s transparent communication and advice to customers helped manage the situation, but the incident still served as a potent reminder of persistent cyber threats.
Going Forward
The M&S breach offers vital lessons on the long-term consequences of a security incident. M&S is now expediting its technology improvement plan to prevent future disruptions, compressing a two-year plan into six months. This reactive investment underscores the cost of not being proactive with security.
The attack exposed weaknesses in M&S’s operational resilience and business continuity. The reported chaos and the lack of a comprehensive cyberattack plan emphasise the critical need for robust incident response.
The breach reportedly originated through social engineering targeting a third-party contractor, highlighting the often-underestimated risk within the supply chain. An organisation’s security is only as strong as its weakest link, which increasingly includes its partners. Partners often go unchecked for many reasons that extend beyond the length of this piece.
While M&S has maintained customer loyalty, the potential for long-term reputational damage exists. Rebuilding trust after a data breach requires transparent communication, a clear commitment to security, and visible improvements.
Data breaches inevitably attract attention from regulatory bodies, which can lead to fines and legal challenges. The EUs DORA is a clear set of regulatory standards, and I honestly wish it would be extended across all industries – not only tightly regulated markets.
The Increasing Importance of Multi-Factor Authentication (MFA)
This leads me to a crucial point: the growing importance of Multi-Factor Authentication (MFA) in combating cybercrime. The M&S incident, where attackers gained unauthorised system access, reinforces the belief that traditional password-based security is no longer sufficient.
MFA requires users to provide two or more verification factors to access an account. These typically include something you know (like a password), something you have (like a phone or token), and something you are (like a fingerprint). Companies such as Google, Microsoft and Apple have taken it further by using location and in phone verification (Authenticators).
MFA’s strength lies in its layered security. Even if a criminal steals one credential, they’re still blocked from access without the second factor. Cybersecurity agencies globally, like CISA, consistently state that MFA makes an account 99% less likely to be hacked.
For any organisation, implementing strong MFA across all employee accounts, critical systems, and customer portals isn’t just a recommendation – it’s essential for modern cybersecurity. It adds a crucial layer of protection against various attack methods, including credential stuffing, phishing, and breaches originating from third-party vulnerabilities.
The M&S cyberattack is a powerful reminder that in our interconnected world, a proactive, multi-layered cybersecurity strategy, with MFA as a core component, is not just a technological requirement but a business imperative. The cost of a breach, as M&S is now experiencing, far outweighs the investment in robust preventative measures. Every organisation should view cybersecurity not merely as an IT concern, but as a fundamental business risk demanding top-level executive attention and investment.
If you feel that you could be more proactive in your approach to cybersecurity, reach out today and let’s get the ball rolling.
ABOUT THE AUTHOR
Damian Xuereb is a Director at Credence Consulting Limited.
You can get in touch with Damian via email, or through his LinkedIn page.