The Cyberattack on Marks & Spencer: a Case Study

• 22 April 2025 - M&S IT systems disrupted during Easter weekend.
• 23 April 2025 - Public confirmation of a cyber incident by M&S.
• 25 April 2025 - Full website and online shopping services offline.
• 13 May 2025 - Market reports reveal a £1 billion drop in M&S market value.
• 15 May 2025 - Press confirms ransomware group Scattered Spider responsible.
• 21 May 2025 - Allianz and Beazley named as insurers, claims approach £300 million.

The Attack

As reported over the Easter break, the high-street brand confirmed that personal data belonging to its customers was stolen during the cyber-attack. The data stolen can clearly identify individuals, as it includes names, surnames, email addresses, home addresses, telephone numbers, dates of birth and even ‘masked’ card details. To date it appears that the data has not been shared or sold, however there is no guarantee that this will remain the case.

The attack was reportedly carried out using a service on the dark web called ‘DragonForce’. The service involves taking a copy of victims' data and scrambling it, then asking for a ransom to unscramble it and delete their copy of the data.  This incident underscores the critical importance of robust cybersecurity measures for businesses, as the stolen data includes information which can identify Marks and Spencer’s customers, such as names, email addresses, home addresses, and more.

Attack Vector and Scope

The cyberattack reportedly originated from a compromised third-party IT service provider. The ransomware group Scattered Spider allegedly used SIM-swapping and phishing to gain access. The breach exposed sensitive customer data and internal HR records.

Data Protection and Regulatory Duties

M&S is required to notify the Information Commissioner’s Office (ICO) under the UK GDPR within 72 hours of becoming aware of the breach. The affected data categories likely qualify as personal and possibly special category data under Article 9.

Failure to implement appropriate technical and organisational measures could expose M&S to enforcement action and fines under Article 32 UK GDPR.

Contractual Liability and Vendor Risk

This incident underscores the critical importance of robust vendor agreements, including:

• Audit and control rights
• Data breach notification clauses
• Indemnities and limitations of liability

Where the attack stems from a third-party failure, M&S may have recourse under contractual warranties or tortious claims, though effectiveness will depend on the vendor’s solvency and insurance.

Cyber Insurance and Financial Losses

Reports suggest Allianz, with syndicate Beazley, is handling a claim estimated at £300 million. Disputes may arise over:

• Attribution of the breach (e.g. state actors vs. criminals)
• Scope of coverage, especially for reputational loss and business interruption
• Policy exclusions, such as those related to software supply chain vulnerabilities

Business and Financial Impact

The incident severely disrupted online operations for over three weeks, during a peak shopping period. Financial analysts estimated:

• Over £60 million in lost sales
• A £1 billion decline in market capitalisation
• Reputational damage in consumer trust and brand loyalty

Such impacts underline the need for cyber-resilience as a board-level issue.

1. Cybersecurity is a Board Responsibility

Leaders must ensure cybersecurity is not just an IT issue, but a corporate governance priority with regular review and strategic oversight.

2. Vendor Agreements Must Allocate Cyber Risk

Companies must reassess contractual protections in all supplier agreements—particularly those involving data processing or IT functions.

3. Test Your Insurance Coverage Now

Board and legal teams should review the scope, exclusions, and triggers in cyber insurance policies to ensure real-world applicability.

4. Implement Robust Breach Response Protocols

Simulate ransomware scenarios across legal, compliance, comms, and technical functions. Ensure all staff are trained, and escalation routes are defined.

As an increase in cyber-attacks targeting UK businesses has been observed over the past few weeks, business owners would do well to learn from this incident.  The incident faced by Marks and Spencer serves as a stark reminder to business owners about the importance of prioritising cybersecurity.

Cyberattacks can have far-reaching consequences, affecting not just the immediate financial stability of a business but also the long-term reputation of a brand. Three weeks after the attack, M&S operations are still disrupted, with their online order services still not fully functional. The losses reported are significant, running into millions in lost sales per week. Businesses failing to invest in their cyber security capabilities can easily end up operating at limited capacity if hacked, and making significant losses in the aftermath of the hack.  

For businesses, investing in robust cybersecurity measures should not be seen as an optional expense but as a critical component of their operational strategy. Businesses should regularly update their security protocols, conduct comprehensive risk assessments, and provide cybersecurity training for their employees. This proactive approach can help identify and mitigate vulnerabilities before they are exploited by cyber criminals.

Moreover, from a data protection perspective, businesses must have an effective incident response plan in place. This includes clear procedures for detecting data breaches, mitigating the effects of the attack, recovering stolen data and making the necessary data reports to authorities and notifications to customers. As observed in this case, timely reporting to relevant authorities and information to customers about protective measures can significantly reduce potential reputational damage. Marks and Spencer confirmed it reported the breach to the authorities and informed its customers of the situation, even recommending simple practices for customers to protect their accounts, such as changing their passwords and exercising caution if they receive suspicious emails.

‍

Our team of cybersecurity lawyers is equipped to provide comprehensive assistance in managing cyber incidents for businesses. Leveraging their expertise in cybersecurity and data protection, they ensure risks are mitigated and data is recovered promptly. We can help protect your business from cyber threats and can run legal analysis to identify current deficiencies which may prove costly in case of breaches.

• Incident response planning and crisis legal counsel.
• Drafting and negotiating third-party cyber liability clauses.
• Regulatory notification and ICO engagement.
• Insurance policy reviews and claims support.
• Board-level training and risk assessment.
• Cyberattack Prevention through coordinated legal and technical preparation.

‍

‍