Over the four-day Easter weekend of 18 to 21 April 2025, prospects of British excessive road fixture Marks & Spencer (M&S) took to social media in droves to lament an obvious outage that was inflicting disruption to in-store contactless funds.
At first look, the disruption seemed to be the results of a run-of-the-mill IT glitch that occurs infrequently, however by Tuesday 22 April, it was beginning to develop into obvious that one thing much more sinister was occurring. M&S shut down a number of public-facing providers, resembling on-line buying and in-store click on and acquire, and CEO Stuart Machin made the rounds of the morning information studios to substantiate that the retailer had been hit by a cyber assault.
The incident was the primary in a collection of damaging assaults towards UK retailers – all orchestrated in comparable style through the methods of an unwitting third-party tech provider – to return to mild.
Because the likes of Co-op and even Harrods have been drawn in, Scattered Spider – the English-speaking hacking collective behind the assault – and related teams resembling Lapsus$ and ShinyHunters turned family names.
Over the summer season of 2025, the teenager hackers turned their consideration to different targets, hitting organisations working in a number of verticals all around the world. The cyber crime spree arguably hit its zenith – or nadir relying in your viewpoint – with the August 2025 assault on carmaker Jaguar Land Rover (JLR), the repercussions of which proceed to reverberate across the UK financial system practically eight months on.
However the chaos kicked off at M&S, with cabinets left empty as retailer managers struggled with downed ordering methods, and houses throughout the nation going with out upmarket choosy teas, pig-shaped gummy sweets and caterpillar-themed truffles.
Third-party vulnerabilities: it began with a telephone name
“A yr on from the M&S assault, the numbers inform a stark story. Retail cyber assaults grew round 34% final yr, and the trajectory since then means that determine has solely climbed additional,” says Examine Level UK and Eire head of enterprise, Charlotte Wilson.
“What the incident made clear is how the character of the assault itself ought to be understood. The preliminary entry level at M&S, and at others like Jaguar Land Rover … was a telephone name. Somebody satisfied a helpdesk operative at hand over system entry by impersonating an worker. That was the door in, and it opened onto lots of of thousands and thousands of kilos of harm. The most costly cyber assault in British retail historical past started with a dialog.”
Muhammad Yahya Patel, Huntress digital chief info safety officer (vCISO) and EMEA cyber safety adviser, says it’s exactly this comparatively unsophisticated origin story that marks the M&S breach as a case research that each safety staff – whether or not working in retail or not – ought to have printed out and caught on the wall.
“The attackers didn’t discover a zero-day. They didn’t bypass a next-gen firewall. They picked up the telephone, pretended to be an M&S worker and requested a third-party service desk to reset a password. That was it,” says Patel.
“The whole lot that adopted, the Lively Listing database exfiltration, the credential cracking, the ransomware deployment throughout VMware hosts – all of it flowed from lack of service desk processes.
“What Archie Norman referred to as ‘refined impersonation’ in Parliament is what the safety neighborhood has been calling a Scattered Spider hallmark because the MGM breach in 2023. The playbook was public. The method was documented. And it nonetheless labored.
“Maybe probably the most sobering element [is] the 4 people arrested by the NCA in July have been aged 17 to twenty. These weren’t nation-state actors with deep pockets and authorities backing. They have been younger, English talking and extremely efficient at discovering the hole between an organisation’s technical controls, folks and processes.”
The lasting impact on boardroom conversations
However considerably, says Examine Level’s Wilson, the M&S assault appears to have served as a much-needed alarm name for the retail business, and lots of of her prospects have began scrutinising their provide chains in consequence.
“The assault uncovered a tough fact: your safety posture is barely as robust because the weakest hyperlink in your vendor ecosystem, and for a lot of retailers, that hyperlink had by no means been significantly stress-tested. The availability chain conversations occurring in boardrooms at the moment merely weren’t occurring 18 months in the past,” she says.
“Cyber threat is now seen as a board-level subject in a means it merely wasn’t earlier than. That cultural shift might show to be the assault’s most vital legacy.”
Dominic Mortimer, who leads the purple staff at Bulletproof from WorkNest, agrees that safety leaders appear to be extra alert to the hazards of social engineering.
“The M&S breach accounted for an enormous and direct uptick in organisations wanting to incorporate comparable breach situations of their checks,” Mortimer tells Pc Weekly. “I feel like 80% of the most recent purple groups we’ve executed following that breach announcement have all included assist desk [or] vishing simulation situations to make sure the organisation’s resilience and defences lengthen to those third-party areas.
“It very a lot shone a lightweight on an space that had beforehand been uncared for by organisations and lots of reconsidered or approached with larger scrutiny their reliance on outsourced third-party entities. So, it’s very a lot develop into a warning story that organisations have taken to coronary heart, which is an enormous constructive regardless of the dangerous instances had by M&S.”
Submit-breach classes
This stated, cyber safety in retail stays an uphill battle, and Wilson highlights some structural elements that also make retailers more durable to guard than, for instance, monetary providers firms, or business-to-business publishing homes.
These elements embrace – however usually are not restricted to – extra public-facing contact factors that result in considerably greater volumes of phishing makes an attempt, frequent frontline workers turnover and traditionally decrease common safety maturity. This all provides as much as a menace surroundings that’s exhausting to harden. Moreover, Wilson provides, retailers function on such tight margins that cyber safety faces persistent underinvestment
It’s maybe not a lot of a shock then that Examine Level’s most up-to-date cyber assault statistics for March 2025 reveal that the patron items and providers sector was one of the vital closely focused within the UK.
Huntress’ Patel says he’s now seeing a wave of multi-channel approaches by hackers utilizing e-mail, telephone calls, SMS and even Microsoft Groups to construct belief with staff earlier than delivering the killer blow. This, he says, makes them exhausting to cease with any single methodology of management.
“It requires a tradition of verification and training, not only a stack of instruments,” he says. “The organisations that come out of this era strongest received’t essentially be those who spent probably the most. They’ll be those who have been trustworthy about the place their actual gaps have been and closed them.
“At Huntress, we repeatedly see attackers inside enterprise as we step in to cease them of their tracks. We’re witnessing a professionalised scaling of the id theft ecosystem. Adversarial effectivity is at an all time excessive. By remodeling unauthorised entry into dependable, long-term footholds, attackers are treating networks like a market.
Our collective capacity to recognise and resist that sort of secondary exploitation merely hasn’t improved. The attackers comprehend it, and so they’re relying on it Charlotte Wilson, Examine Level
“Organisations should pivot their technique if you’re solely watching the ‘break-in’, you might be lacking the breach. The precedence should shift to rigorous, post-authentication visibility and anomaly detection,” he says.
Wilson displays that the M&S incident appears to have prompted the federal government to begin to act with extra urgency. She notes the Nationwide Cyber Safety Centre (NCSC), in its most up-to-date annual report, says it handled 204 “nationally important” cyber assaults from September 2024 to September 2025, greater than doubling the earlier document of 89. She additionally factors out the progress made on the Cyber Safety and Resilience Invoice (CSBR), and Westminster’s Cyber Motion Plan and proposed £210m centralised cyber unit.
“We’re lastly beginning to see authorities not simply perceive however actively talk the societal and financial value of cyber threats. That’s progress,” she says. “What hasn’t modified, although, is particular person behaviour. Shoppers going about their day by day lives aren’t taking meaningfully extra care with their private knowledge.
“And there’s a chapter of this story that hasn’t been instructed practically loudly sufficient: the wave of class-action scams that adopted the breaches. They’re nonetheless on the market on social media: deepfake movies asking whether or not you have been affected, whether or not you may be entitled to compensation, harvesting the main points of the very individuals who have been already victims as soon as.
“The unique breach made the headlines, however the scams that consumed it didn’t. And from a societal perspective, our collective capacity to recognise and resist that sort of secondary exploitation merely hasn’t improved. The attackers comprehend it, and so they’re relying on it,” she warns.
