The April 2025 M&S Cyberattack: Lessons, Industry Response, and Paths to Resilience

Marks & Spencer’s flagship store in London. In April 2025, M&S faced a disruptive cyberattack that sent shockwaves through the UK retail sector.

In April 2025, British retail giant Marks & Spencer (M&S) suffered a major cyberattack that crippled its operations for weeks. What began as an Easter weekend “cyber incident” soon escalated into a full-blown crisis – customers couldn’t make contactless payments, online orders were suspended, and even store shelves went empty due to supply chain disruption.

The attack was reported to have wiped an estimated £700 million ($930 million) off M&S’s market value and drove a 9% drop in its share price. It was a stark wake-up call, not only for M&S but for the entire UK retail industry, exposing how a single breach can trigger widespread operational and financial chaos. In its aftermath, fellow retailers, industry groups, and government agencies rallied in an unprecedented collaborative response to contain the damage and learn from the incident.

This report provides an in-depth analysis of the M&S cyberattack – examining how the breach occurred, the attackers’ motivations and tactics, the impact on operations, and how the retail community responded together. We also explore emerging cybersecurity trends highlighted by this attack (from third-party risk to generative AI threats and Zero Trust strategies) and outline how businesses can bolster their defenses. Finally, we discuss how Peritus Cloud Security can help organisations stay proactive and resilient against the next wave of cyber threats.

How the Breach Unfolded

This interactive timeline chronicles the events surrounding the significant cyberattack on Marks & Spencer (M&S) in 2025. From the initial detection of the breach to the restoration of full online services, explore how M&S navigated the challenges and the lessons learned by the wider retail industry.

Initial Entry Point: Investigations revealed that the M&S breach did not start with an obvious technical vulnerability or malware infection, but with old-fashioned social engineering. In fact, the attackers compromised M&S via a third-party vendor’s employees, tricking a supplier’s staff through a targeted phishing/impersonation scheme.

M&S CEO Stuart Machin later characterised this lapse as a “human error” on the supplier’s side. Notably, the supplier was reportedly Tata Consultancy Services (TCS) – an IT services provider for both M&S and the Co-op. This suggests the attackers found a single weak link in the supply chain to hit two major retailers at once. The UK’s Cyber Monitoring Centre (CMC) assessed that exposure through a third-party was likely how the M&S and Co-op incidents began. In other words, the breach exploited trust in a partner network – a sobering lesson in third-party risk management.

Attack Tactics: The social engineering operation was remarkably sophisticated and targeted. According to cybersecurity analysts, the intruders focused on impersonating IT support staff and helpdesk personnel to fool users into surrendering credentials or remote access. The initial phishing phone calls and messages were so convincing that even tech-savvy employees were deceived. The attackers likely studied internal lingo and perhaps even leveraged voice-cloning AI to mimic accents and speaking styles. (Indeed, security experts note that generative AI now enables criminals to clone human voices with eerie accuracy – including localised accents – making fake calls feel legitimate.) By targeting the helpdesk and support processes, the adversaries effectively obtained valid login credentials or password reset access, giving them a foothold inside M&S’s network without raising immediate alarms.

Once inside, the attackers moved quickly to escalate privileges and deploy ransomware. M&S confirmed that the incident was a form of “big game” ransomware attack – a deliberate strike at a large enterprise for maximum profit. Systems across the company – from e-commerce platforms to internal applications and inventory management – were encrypted or taken offline, forcing M&S to essentially halt digital operations to contain the spread. Notably, M&S proactively shut down portions of its IT environment (except point-of-sale terminals in stores) as a defensive measure, trading short-term disruption for long-term containment. This aggressive isolation likely prevented further damage but at the cost of paralysing many services.

Who Was Behind the Attack

Almost immediately, security researchers suspected that the M&S attack was the handiwork of Scattered Spider, a notorious cybercrime group known for audacious attacks on large organisations. Scattered Spider (also tracked as UNC3944) is an English-speaking group with a talent for social engineering – infamously, they breached MGM Resorts in 2023 by impersonating IT staff to gain network access. In the M&S case, the Cyber Monitoring Centre eventually concluded that the same threat actor hit both M&S and Co-op, using similar tactics and timing, effectively classifying it as a “single combined cyber event”.

Investigators believe Scattered Spider was indeed behind the intrusions, likely partnering with a ransomware affiliate called DragonForce. Scattered Spider appears to have leveraged the DragonForce ransomware-as-a-service platform to execute the attack on M&S. (DragonForce, notably, has roots as a hacktivist collective but has shifted into financially motivated extortion – evolving “from politically motivated attacks to high-profile financial extortion campaigns,” and recently targeting UK retailers.) Criminals target retailers to ransom stolen data and extort money – every day a company is offline can cost big money.

Motivations: The attackers’ motives were primarily financial gain. By hitting critical systems of a major retailer, they maximised leverage to demand a hefty ransom. Analysts estimate the group’s tactics caused between £270–440 million in total financial impact to M&S and Co-op – a testament to how lucrative such extortion can be. Beyond immediate ransom demands, the criminals also exfiltrated sensitive data to double the pressure. At the Co-op, for example, they stole a significant trove of customer and member data (names, contact info, birthdates, etc.), presumably to threaten its public release or sale if the ransom wasn’t paid. This double-extortion method (encrypt systems and steal data) is now a hallmark of ransomware gangs looking to ensure they get paid.

It’s worth noting that ideological or political motives were not front-and-center here – unlike some past hacktivist campaigns – even though one perpetrator group (DragonForce) had. In this case, the attack on M&S was a calculated assault on a prominent business, aiming to cash in on the company’s desperation to restore operations. one expert emphasised. The selection of M&S, Co-op, and even Harrods as targets suggests the attackers were keenly aware of the high stakes: these are household brands with low tolerance for downtime, especially during a busy spring shopping season.

Tactics and Tools: The tactics used by Scattered Spider and its affiliates illustrate a trend of blending technical savvy with psychological manipulation. Key tactics included:

Advanced Social Engineering: The group’s members, being fluent English speakers, convincingly impersonated company IT staff on phone calls and chats. They likely used stolen personal details and perhaps even deepfake audio to add credibility. This allowed them to navigate past security questions and gain initial access. NCSC later warned that attackers are increasingly using Teams chats and helpdesk calls as entry points, exploiting human trust instead of hacking code.
Privilege Abuse & Lateral Movement: Once inside, the attackers sought out administrator credentials and poorly secured accounts to pivot across networks. By escalating privileges, they could deploy ransomware widely. The M&S breach has been described as a “seamless blend of social engineering, privilege abuse, and off-the-shelf tooling” – highlighting how attackers exploited trust as much as technology. Standard IT tools may have been repurposed by the hackers to move within the environment without immediate detection.
Ransomware Deployment: The final payload was encryption malware (ransomware), likely deployed after-hours to avoid immediate notice. Systems critical to online shopping, supply chain, and internal operations were encrypted or shut down, bringing business to a standstill. M&S itself identified the attack as ransomware when briefing investors. It’s unclear if M&S or Co-op paid any ransom – the CMC noted it had no data on ransom payment – but both companies prioritised restoration from backups and rebuilding systems, indicating a reluctance to engage with the criminals.
Data Theft and Extortion: In parallel, the attackers stole data where possible. M&S later admitted customer information was accessed during the breach, and Co-op confirmed personal data of millions of members was taken. This data could be used for extortion (“pay or we leak it”) and also poses longer-term risks if sold on criminal markets (identity theft, fraud, etc.).

Operational Disruption and Impact

The operational impact on M&S was immediate and far-reaching. Within days of the attack, M&S had to completely shut down its online shopping operations – a drastic measure for a retailer that conducts roughly one-third of its clothing and home goods sales online. Online orders were suspended for six weeks, only resuming in limited capacity by early June 2025. During this period, M&S’s e-commerce revenue effectively dropped to zero. According to industry data, M&S saw a 22% reduction in daily consumer spending, with in-store sales down 15% as stores struggled to keep shelves stocked. Popular food items and seasonal products ran out in some locations, as the attack disrupted inventory management and deliveries. Analysts estimated M&S was losing £3.8 million in sales per day from halted online orders.

In physical stores, point-of-sale systems remained operational (M&S wisely kept checkout tills running even as back-end systems were isolated). However, contactless payment functionality was knocked out, forcing customers to use chip-and-pin or cash – an inconvenience that slowed transactions and frustrated shoppers.

M&S’s internal communications and remote work capabilities were also hampered: at one point 200+ staff from M&S’s e-commerce warehouse and IT teams were told to stay home idle, unable to access systems. The company even paused hiring – taking down hundreds of job postings – amid the chaos. Collectively, these disruptions painted a picture of a retailer in crisis mode, struggling to serve customers and carry on “business as usual.”

The financial impact was equally severe. In a May 2025 earnings update, M&S warned that the cyberattack would wipe an estimated £300 million (~$400 million) from its operating profit for the year. This figure encompassed lost sales, remediation costs, and investments in recovery, and it did not yet factor in potential insurance offsets. It marked one of the largest public financial hits ever disclosed by a UK company due to a cyber incident. Indeed, industry observers noted it was “by some distance the largest sum ever publicly admitted to by a UK company as a result of a cyberattack”.

M&S also anticipated prolonged disruption through June and into July 2025, meaning the critical summer trading period would be impacted. The timing was brutal: record warm weather in May (which normally boosts sales of summer clothing and food) translated into missed opportunities as M&S couldn’t fully capitalise on demand.

Beyond direct losses, the “cyber hurricane” (as some experts dubbed it) had knock-on effects on M&S’s partners and the wider economy. The CMC categorised the incident as a Category 2 systemic event due to its significant economic impact on not just the victims but also third-party suppliers and services. For instance, some of M&S’s suppliers struggled to reroute goods, especially perishable foods requiring cold storage, leading to further supply chain. And in a related blow, a key logistics provider (Peter Green Chilled) that served multiple supermarkets (including Aldi, Sainsbury’s, and Tesco) was hit by a ransomware attack in mid-May, forcing it to halt operations. This separate attack, possibly part of the same campaign, underscored how a single point of failure in the supply chain can impact many companies at once. Retail sector analysts fear that just-in-time inventory systems and heavy IT reliance mean that when systems go down, manual workarounds are limited – as seen with empty Food Halls at M&S and stockouts elsewhere.

Other retailers also felt the aftershocks. The Co-op Group, hit around the same time, had to temporarily shut some of its own IT systems on April 30 to contain malware. Co-op later disclosed that hackers accessed data of millions of past and current members, requiring a mass notification and posing reputational issues. Meanwhile, Harrods had to take parts of its network offline on May 1 as a precaution, although it claimed to have avoided major disruption by acting fast. Each of these incidents incurred costs in the tens of millions of pounds for incident response, customer support, and lost sales. Combined, the M&S and Co-op attacks alone were estimated to eventually cost up to £440 million ($592 million)when all was tallied.

Perhaps even more damaging than the immediate costs is the long-term reputational impact. Customers rely on M&S’s brand for trust – trust that their personal data and payment details are safe, and that stores will have the products they expect. A protracted outage and news of a data breach can erode that trust. Industry surveys after similar breaches show customers may change their shopping habits if they lose confidence in a retailer’s security. M&S moved quickly to mitigate this: by mid-May, they urged all 30+ million customers to reset their online account passwords as a precaution. They also engaged with the UK Information Commissioner’s Office (ICO) and promised enhanced security going forward. Nonetheless, the incident will cast a long shadow. Legal fallout is already emerging – M&S faces potential class-action lawsuits for the data breach. And strategic initiatives were delayed or refocused; as one legal expert noted, a major breach creates opportunity costs as management attention shifts to firefighting over innovation.

In summary, the M&S cyberattack vividly demonstrated how a cyber incident can cripple operations, devastate finances, and damage confidence in a matter of days. It highlighted that cybersecurity is not just an IT issue but a core business continuity risk. As we’ll see, this realisation sparked a coordinated response across the UK retail industry.

Retailers Unite

Facing what some dubbed a “cybersecurity hurricane,” the UK retail sector responded to the M&S attack with a notable level of collaboration and urgency. Competitors and peers recognised that “if this can happen to M&S, it can happen to anybody,” as former NCSC chief Ciaran Martin put it. Thus, rather than viewing it as M&S’s isolated problem, the incident was treated as a wake-up call for all retailers to band together, share information, and strengthen defenses.

Information Sharing and Alerts: Within days of M&S’s disclosure, industry bodies and government agencies were mobilised. The National Cyber Security Centre (NCSC) issued an urgent security bulletin to retailers nationwide, warning them to “follow best cybersecurity practices” to reduce the risk of falling victim to similar attacks. NCSC coordinated with the affected companies (M&S, Co-op, Harrods) and launched a broader threat intel effort to determine if the attacks were linked or part of a campaign. Early on, NCSC stated they had “insights” into the incidents but weren’t yet ready to confirm attribution – underscoring that intelligence was being actively gathered and analysed. Behind the scenes, likely via the NCSC’s industry info-sharing programs, technical indicators of compromise (IOCs) and attacker techniques were shared with other retailers so they could hunt for any signs of intrusion in their own networks.

The British Retail Consortium (BRC) – the UK’s retail trade association – also stepped up. BRC’s CEO, Helen Dickinson, publicly emphasised that cyberattacks were becoming “increasingly sophisticated” and revealed that retailers collectively spend hundreds of millions of pounds every year on cybersecurity. She noted that “all retailers are continually reviewing their systems to ensure they are as secure as possible.” In practice, this meant many retailers convened emergency meetings of their IT and security teams in the wake of the M&S incident. Companies rushed to double-check their own defenses, especially around any shared vendors or processes similar to M&S. For example, any retailer using the same third-party IT providers likely ran immediate security audits or changed remote access credentials as a precaution. The fact that Co-op’s breach was discovered “possibly as a result of increased vigilance following the M&S incident” speaks to how awareness was heightened across the industry.

Cooperative Mitigation Efforts: There were also instances of direct cooperation. M&S and the Co-op, despite being unrelated companies, found themselves in the fight together. The Cyber Monitoring Centre (CMC) treated their cases as one combined event, allowing both firms (and authorities) to pool information on the attacker’s tactics. It’s likely that technical teams from M&S and Co-op (with guidance from NCSC and perhaps third-party incident responders) compared notes on the malware used, the phishing lures encountered, and the indicators detected. This collaborative analysis would help each of them (and others) to more quickly deploy countermeasures. The NCSC also provided on-site assistance by sending its experts to work with the companies’ response teams. Such hands-on support, including forensic analysis and remediation guidance, was invaluable in shortening the recovery time.

Furthermore, the public stance of “unite against cyber threats” became evident. Rather than shaming the victims, industry leaders and even competitors voiced solidarity. For instance, several major retailers (like Tesco, John Lewis, and others) reportedly reached out to offer help or share advice behind closed doors. Retail CISOs communicated through informal networks and possibly the Retail ISAC (Information Sharing and Analysis Center) if one was in place, to disseminate any intelligence on the attack vector. The spirit was one of “we’re in this together,” recognising that undermining customer trust in one big retailer could easily spill over to mistrust in others if action wasn’t taken. This collective mindset is somewhat new – it reflects a maturing view that cybersecurity is not a competitive area but a common defense imperative.

Accelerating Security Measures: In the direct aftermath, M&S itself took bold steps that sent a message to the whole sector. The company announced it would accelerate a planned two-year digital security upgrade into just six months. This compressed overhaul includes upgrading infrastructure, improving network segmentation, and overhauling identity management – essentially fast-tracking a “Zero Trust” architecture (more on that later). The CEO positioned it as “making the most of the opportunity to accelerate improvement”, turning the crisis into a catalyst for modernisation. Such a rapid transformation is ambitious, but if successful, it would significantly harden M&S against future attacks by closing gaps that the attackers exploited. Other retailers took note; seeing M&S publicly commit to enhanced security spending put pressure on peers to review their own investment levels. As one industry commentary noted, “retailers like M&S must now invest heavily in defenses” and treat cybersecurity as a core competency. The alternative – delaying critical upgrades – exposes firms to existential risks, as evidenced by the breach.

Government stakeholders also used the incident to advocate for broader improvements. Parliament’s Joint Committee on National Security Strategy highlighted these retail attacks as evidence that more must be done to counter ransomware, urging the government to treat the threat with appropriate seriousness. This could translate into stronger regulations or support for critical retail infrastructure security. The NCSC’s guidance to all organisations was clear: prepare for the worst. “Preparation and resilience does not mean just having good defenses… it means detecting threat actors already inside your network, containing them, and being able to respond and recover”. Concretely, the NCSC advised measures like: enabling multi-factor authentication everywhere, watching for unauthorised account use, tightening helpdesk identity verification for password resets, and monitoring for logins from unusual sources (e.g. VPNs from odd locations). These tips, drawn from the retail incidents, were disseminated widely as best practices.

One especially telling example of collective learning came from the Co-op’s internal response. After dealing with its attack, Co-op instructed all staff to keep webcams on during online meetings and to strictly verify all meeting attendees. Why? Because the attackers had managed to eavesdrop on a confidential Co-op Teams call and even shared screenshots of it – implying they had snuck into meetings unobserved. By mandating cameras-on and attendee verification, Co-op aimed to catch any “lurkers” and prevent hackers from quietly spying on calls. This lesson was shared publicly via BBC reports and undoubtedly made its way onto the checklist of other companies’ security protocols for remote meetings.

In summary, the M&S cyberattack spurred an industry-wide wake-up call. As the NCSC stated, these incidents “should act as a wake-up call to all organisations” about the need for robust cyber resilience. Retailers in the UK (and beyond) collectively took action: sharing threat intelligence, hardening their defenses, and embracing a more transparent, cooperative approach to cybersecurity. This collaborative response likely limited further fallout from the initial attacks and has set the stage for a stronger, more united front against cybercriminals.

Cybercriminal Trends and Tactics

For CISOs and business decision-makers, the M&S breach provides several critical lessons about modern cybercriminal motivations and methods. Analysing this incident yields insight into how threat actors are evolving their tactics – and what defenses are most relevant – in 2025 and beyond. Below are key takeaways:

Big-Game Ransomware: High Stakes for High Rewards. The attackers went after a prominent target (M&S) knowing that a successful breach would cause maximum business disruption, thereby pressuring the victim to pay a large ransom. This “big-game hunting” approach to ransomware has become standard – criminal gangs choose targets likely to suffer “narrow and deep” impacts that are extremely costly. The retail attacks were estimated to have a total impact up to $592 million, illustrating how lucrative such campaigns can be. The motivation is overwhelmingly financial; even groups with ideological roots (like DragonForce) have pivoted to extortion because the payoff is so high. For CISOs, this underscores that if your organisation is critical to the supply chain or economy, you are a prime target – and you must plan for the worst-case scenario where criminals aim to cripple operations to extort money. Business continuity planning (with backups, failover systems, etc.) is therefore as important as traditional perimeter security.
Social Engineering Mastery: Humans are the Weakest Link. The M&S attack vividly demonstrated that sophisticated hackers often bypass technical defenses by targeting human behavior. Posing as trusted IT staff, the attackers exploited human trust to gain initial access. They carefully crafted phishing lures and phone personas, even possibly using AI-driven voice cloning to sound convincing. This trend of AI-powered social engineering is accelerating – attackers can now clone voices and generate personalised phishing messages at scale, making scams harder to spot. Impersonation of helpdesks and support channels is a particularly effective tactic (sometimes called “vishing” or voice-phishing). CISOs should ensure robust verification procedures for any password resets or sensitive requests (e.g., using callback verification or secondary channels). Regular security awareness training is crucial – employees must be drilled to verify identities and spot red flags, even if a request comes from someone claiming to be “IT support”. The old adage holds: trust, but verify.
Supply Chain and Third-Party Risk: Hitting One to Breach Many. The entry point through a third-party supplier in the M&S case highlights how attackers target interconnected business ecosystems. By compromising one vendor (TCS), the hackers managed to affect two large retailers at once. This is a classic supply chain attack strategy – breach a smaller partner with weaker security to leapfrog into a bigger prize. We’ve seen this in other contexts (e.g., software supply chain attacks), and it’s now clearly a threat in operational vendor relationships too. CISOs must treat third-party access as an extension of their attack surface. It’s essential to vet vendors’ security practices, limit the access privileges of supplier accounts, and continuously monitor that access for anomalies. In fact, the CMC explicitly noted the need for understanding retailers’ third-party risk exposure, likely how these incidents began. We should assume that attackers will probe our suppliers and contractors for any weak links. Thus, strategies like requiring multi-factor authentication for all vendor logins, conducting periodic security assessments of key suppliers, and having contractual security requirements are increasingly standard. Shared fate means shared responsibility – your partners’ cybersecurity must be scrutinised as closely as your own.
Multi-Stage Extortion: Data Theft Ups the Ante. Modern ransomware incidents are not just about encrypting files; they often involve stealing sensitive data and threatening to leak it. The M&S/Co-op attackers exfiltrated customer and employee data, turning the breach into a data breach incident as well. This tactic (dubbed “double extortion”) is intended to pressure victims into paying even if they can restore from backups, because a public data leak would cause further damage. For CISOs, this means that data loss prevention and encryption of data at rest are important mitigations. It’s also a reminder that incident response must include not just IT restoration but also crisis communications and legal preparedness for a potential data breach disclosure. In the M&S case, notifying millions of customers and supporting them (e.g., with forced password resets and credit monitoring if needed) became a huge part of the response. Being prepared for that scenario – with pre-drafted customer communications and a PR strategy – is now a necessity.
Focused Targeting: Sector-Wide Campaigns and Hacker Playbooks. The events of spring 2025 revealed that attackers may focus on one industry at a time, reusing successful techniques. Scattered Spider hit multiple UK retailers in succession, then reportedly shifted attention to U.S. retailers and later to the insurance sector. They develop a “playbook” for a specific vertical – understanding common systems, likely vulnerabilities, and even industry lingo to better deceive employees. For retail, this might include knowledge of point-of-sale networks, e-commerce platforms, and distribution systems. The implication for CISOs is that threat actors are learning and adapting per industry. Information sharing within your industry becomes crucial to stay ahead of the attackers’ curve. If a peer organisation is hit, it’s likely not an isolated incident – assume those same attackers may try similar techniques on you. Engage with industry ISACs or trust groups to swap intel in real time. In essence, we must be as collaborative as the attackers are opportunistic.
Resilience Matters as Much as Prevention. Finally, a philosophical but important point: even with world-class defenses, breaches can still happen (M&S is a 139-year-old company that surely had security in place, yet it was breached). No organisation is immune, so resilience – the ability to contain damage and recover quickly – is paramount. In M&S’s case, having the courage to disconnect systems early likely prevented worse damage. Their recovery was still arduous, but a complete rebuild could have taken much longer. This underscores that CISOs should invest not only in preventive controls, but also in robust incident response plans, backups, and business continuity drills. The goal is to minimise the “dwell time” of attackers (finding them fast when they break in) and to limit the blast radius (through network segmentation, least-privilege access, etc., which we’ll discuss under Zero Trust). As one expert noted, “resilience isn’t just about prevention, it’s about containment, recovery, and communication”. This holistic approach is what allowed M&S to eventually bounce back and will serve other organisations well when – not if – they face a similar crisis.

In summary, the M&S incident crystallises several trends: targeted ransomware is on the rise; social engineering and third-party attacks are key threat vectors; and strong resilience strategies are as crucial as ever. Armed with these insights, CISOs in retail and other sectors can re-evaluate their security postures against real-world adversary behaviors.

Emerging Cybersecurity Trends Highlighted by the Attack

The M&S breach did not occur in a vacuum – it exemplified and accelerated broader cybersecurity trends that every organisation should note. Here we delve into three interrelated trends underscored by this incident: third-party risk, generative AI–powered threats, and the push toward Zero Trust security models.

Third-Party Risk: Securing the Supply Chain

Perhaps the clearest lesson from the M&S attack is the danger posed by vulnerabilities in your supply chain and vendor network. In an era of outsourcing and interconnected digital ecosystems, an organisation is only as secure as its weakest link. M&S’s attackers entered via a third-party IT provider’s compromised, leveraging trust and access that had been granted to an external partner. This form of supply chain attack is increasingly common – whether it’s targeting managed service providers, software libraries (as seen in past incidents like SolarWinds), or other service contractors.

Why Third-Party Breaches Are Rising: Attackers target vendors because smaller firms often have less mature security, and a single vendor may unlock access to multiple client organisations. It’s an efficient “hack one, get many” strategy. In the retail sector, think of the myriad third-parties: point-of-sale system maintainers, HVAC contractors (famously how the Target breach occurred years ago), cloud hosting providers, payment processors, etc. Each of these connections is a potential pathway into the core business. The M&S incident confirms that cybercriminals are actively probing such pathways. As the CMC assessment noted, improved cyber hygiene and proper understanding of third-party risk exposure are crucial – indeed likely how the M&S and Co-op incidents began.

Mitigating Third-Party Risk: Organisations should implement a robust Third-Party Risk Management (TPRM)program. This includes:

Due Diligence: Vet partners’ security practices before onboarding (e.g. check if they have security certifications, conduct risk assessments or ask for penetration test results). If M&S’s vendor had been known to have weaker controls, maybe additional safeguards could have been required.
Least-Privilege Access: Give vendors the minimum access necessary. For instance, do all vendor support staff need VPN access to your entire network, or can it be scoped to certain systems and times? Use fine-grained access controls and network segmentation to compartmentalise third-party access. Had strict network segmenting been in place, a breach via the vendor might have been isolated more easily.
Continuous Monitoring: Don’t assume a partner is secure forever after initial vetting. Continuously monitor vendor access for unusual activity (failed logins, logins at odd hours or from foreign IPs, etc.). Utilise tools that can detect if a third-party account is behaving abnormally – which might indicate it’s been compromised.
Contractual Controls: Include cybersecurity requirements in vendor contracts (like breach notification timelines, right to audit, adherence to certain standards). In the aftermath, such clauses help ensure you get timely info and cooperation from the vendor. TCS, for example, publicly stated that its systems were not compromised in the M&S attack, and it was internally investigating – likely due in part to contractual and reputational obligations.
Incident Response Integration: Incorporate key vendors into your incident response plans. You should know how to quickly reach their security team in an emergency and have processes to work together (e.g. sharing forensic data). In M&S’s case, coordination with TCS and others was vital once the breach was suspected to involve them.

Ultimately, trust must be verified. The goal is not to cut off all third-parties – that’s impractical in modern business – but to manage and contain the risk they introduce. As one security maxim puts it: “No network is an island.” Your organisation’s security is intertwined with that of your partners, so you must extend your vigilance outward to cover the supply chain.

Generative AI Threats: Social Engineering on Steroids

A striking aspect of the M&S incident is how well the social engineering was executed. We must consider that the attackers likely utilised the latest tools at their disposal – including generative AI – to enhance their schemes. Generative AI (such as advanced language models and deepfake generators) is dramatically lowering the barrier for cybercriminals to create highly convincing fake content. In the context of this attack and others in 2025, we see AI’s imprint in several ways:

Deepfake Voices & Realistic Phishing: As mentioned, generative AI can clone human voices with great accuracy, including mimicking accents and speaking nuances. An attacker can, for example, train an AI model on a few samples of a company’s IT helpdesk personnel (perhaps scraped from LinkedIn videos or recorded calls) and then have the AI speak on a phone call almost indistinguishably from the real person. This makes phone-based phishing (“vishing”) incredibly potent. Likewise, AI text generators can produce phishing emails that are grammatically perfect, contextually relevant, and even personalised to the target (using details from social media or past communications). In short, phishing attempts are becoming harder to spot – the usual telltale signs (odd grammar, generic language) are disappearing when criminals use AI to polish their lures. For defenders, this means employee training has to evolve; we must train staff to verify requests through secondary channels and not rely on superficial cues.
Automated Targeting and Scalability: AI allows threat actors to scale up their attacks. A single attacker can unleash thousands of tailored phishing messages or chatbot attacks using AI, far more than they could manually. We’re seeing campaigns where AI chatbots engage employees in conversation in chat apps, slowly gaining trust before dropping a malicious link – a very human-like social engineering approach, but powered by automation. Generative AI can also assist in identifying the best targets (for example, by scraping org charts and communications to find who handles payments or has high privileges, then generating spear-phishing for those individuals). The result is an onslaught of more frequent and more convincing social engineering attempts.
Malware and Exploit Development: While not directly evidenced in the M&S case, it’s worth noting that AI can also help attackers write malware code, find vulnerabilities faster, or even generate polymorphic malicious code that changes constantly to evade detection. Security researchers have already demonstrated AI models that can create phishing websites or mutate malware strains automatically. This is an emerging threat that looms on the horizon.

The generative AI threat is essentially that it “supercharges” existing attacks – especially social engineering – making them more effective and widespread. As one industry expert summarised, “In 2025, social engineering will cement itself as the top security threat – supercharged by generative AI. The M&S attack, with its social engineering core, validates this claim.

Defensive Measures: Combating AI-enhanced threats requires a combination of technology and policy responses. On the tech side, organisations are turning to AI-driven defense – for example, using AI to detect anomalous behavior that might indicate a compromised account (since spotting AI-crafted phishing by content alone is difficult, behavior analytics can help by noticing if an employee suddenly performs unusual actions after a suspicious call). Email and communication security tools are incorporating AI to better flag synthetic content or inconsistencies. On the human side, it’s about creating a culture of skepticism: encourage employees to pause and verify requests, especially those involving credentials or sensitive transactions, even if the request “sounds” legit. Introduce verification steps for critical processes (e.g., a callback requirement for financial transfers, which wouldn’t be fooled by an AI email alone).

Interestingly, AI is also being used for positive training – for instance, running AI-powered phishing simulations to continually test and train employees in recognising the latest tricks. By simulating deepfake calls or AI-written emails in a safe environment, employees can learn to identify them. The bottom line is that CISOs must treat generative AI as a new dimension of both threat and tool – criminals have new capabilities, but so do defenders. Embracing defensive AI and updating security awareness programs will be key to staying ahead of this curve.

Embracing Zero Trust: Never Trust, Always Verify

Finally, a major trend reinforced by the M&S saga is the move toward Zero Trust security architectures. Zero Trust is a philosophy and framework that eliminates implicit trust in any user or system, whether inside or outside the network. Under Zero Trust, every access request is continuously verified – you authenticate and authorise based on context (user identity, device security posture, location, etc.) each time, rather than giving broad network access based on a one-time login or being on an internal network.

Why Zero Trust Matters Here: The M&S attackers were able to roam through systems and escalate privileges likely because traditional network segmentation and trust models failed. In many corporate networks, once someone is “inside” (especially via a VPN or a trusted account), there are relatively few barriers to move laterally. Zero Trust aims to change that by treating every network segment and application access as if it’s internet-exposed – nothing is trusted by default, even if you’re an authenticated insider. If M&S had a mature Zero Trust implementation, a compromised vendor account would not have been able to access crown jewel systems without additional verification at each step (like MFA challenges or device attestation), and unusual behavior would have been more quickly flagged and blocked.

Key Zero Trust Principles (applied to this case):

Least Privilege Access: Users (and systems) should have only the permissions needed for their roles, and these permissions are continually evaluated. In a Zero Trust model, that vendor account might only have access to a limited support portal rather than the whole network. And an employee’s account that normally accesses, say, HR data would not be able to suddenly access payment systems without a policy violation alert. This contains the damage if an account is hijacked. In the M&S breach, once the attackers got in, they seemingly had wide reach; better privilege restrictions could have slowed or stopped them.
Micro-Segmentation and Network Controls: Zero Trust advocates for segmenting networks and cloud environments into very small zones and enforcing strict access controls between them. So even if malware lands on one server or one store’s network, it shouldn’t easily spread to others. At M&S, more granular segmentation between, for example, the e-commerce environment and the internal corporate network could have limited how far ransomware propagated. Micro-segmentation also means that sensitive data stores are isolated — an approach that could protect customer data even if an IT network is breached.
Continuous Authentication & Monitoring: Under Zero Trust, authentication isn’t a one-time event. Systems continuously validate that the user and device are still trusted – e.g., if a user’s behavior deviates or their device becomes unpatched/infected, the system may revoke access or require re-authentication. In practice, this could mean that even if attackers stole an employee’s session or token, they might be challenged when they attempt admin-level actions or access from a new host. Modern identity platforms (like Microsoft Entra, formerly Azure AD) have capabilities to detect “risky sign-ins” and abnormal patterns, which align with Zero Trust by gating access when something looks off. M&S, like many, did have MFA deployed in parts, but Zero Trust would insist on MFA everywhere, and perhaps even passwordless phish-resistant methods, to reduce the chance of social engineering success.

Importantly, Zero Trust is not a single product or switch to flip, but a strategic journey. M&S’s leadership explicitly cited accelerating digital transformation and likely Zero Trust implementation as part of their response. As one expert quoted during the incident said, a crisis is a chance to modernize and “implement zero trust, and treat cybersecurity as a board-level business priority. This highlights that Zero Trust has gained traction at the highest levels – boards and CEOs are aware of it as a way to prevent future “assume breach” scenarios.

For organisations embarking on Zero Trust, it’s wise to start with critical assets and high-risk users. Enforce MFA for all, segment your network into zones, and introduce conditional access policies (for example, don’t allow logins from TOR networks or geographies where you have no business presence). Over time, work toward a posture where no device or user is inherently trusted due to network location or credential alone. This way, even if attackers infiltrate, they hit a wall at the next step because each action requires verification. As one resource put it, Zero Trust helps prevent that easy lateral movement and limits insider or compromised-insider damage. It’s essentially about building resilience by assuming attackers are already in your environment and designing your defenses accordingly.

The M&S incident underscores that had those Zero Trust principles been fully in play, the breach might have been contained before it spiraled. Going forward, adopting Zero Trust is rapidly becoming a best practice across industries – and certainly for retail, which now sees how a single intrusion can shutter operations for weeks.

How Peritus Cloud Security Supports Proactive Defense

In light of the lessons from the M&S cyberattack and the emerging threat landscape, businesses are rightly asking: How can we stay ahead of these risks and protect ourselves proactively? This is where Peritus Cloud Security comes in. As a specialist in cybersecurity and cloud solutions, Peritus is dedicated to helping organizations strengthen their security posture before a crisis hits, and to respond effectively if one does. We align closely with the needs of mid-market and enterprise teams, offering expertise that addresses exactly the challenges highlighted in this report – from third-party risk to advanced social engineering and Zero Trust implementation.

Here are key ways Peritus Cloud Security can help your business stay proactive and resilient in the face of modern cyber threats:

Comprehensive Security Assessments – Know Your Gaps: It all starts with understanding your current risk exposure. Peritus offers in-depth Cyber Security Assessments that evaluate your infrastructure, policies, and controls against industry best practices and emerging threats. We uncover misconfigurations, vulnerabilities, and compliance gaps across cloud and on-premise environments. For example, we can assess whether your Active Directory is hardened against privilege escalation, or if your employee training is effectively combating phishing. In the context of an M&S-style attack, our assessments would flag weaknesses such as lack of MFA on certain accounts, over-privileged vendor logins, or insufficient network segmentation. By identifying these issues proactively, you can remediate them before attackers find them. We provide prioritised recommendations, so you know which high-risk gaps to close first.
Third-Party Risk Management – Securing the Supply Chain: Peritus recognises that third-party risk is a top concern for modern businesses. Our Third-Party Risk Management solutions help you institute a robust program to vet and monitor your vendors. We assist in evaluating vendors’ security postures (through questionnaires, audits, or integrating with vendor risk rating tools) and implementing controls for vendor access. Additionally, through our advisory services, we help you establish strict third-party access policies: from setting up separate vendor access portals with MFA, to using Secure Access Service Edge (SASE) and software-defined perimeters that limit what external partners can see and do on your network. By doing so, even if a vendor is compromised, your critical systems remain protected. Our team can also guide you in continuously monitoring supplier connections for anomalies, leveraging our extended detection capabilities (XDR) to watch for suspicious activity coming from partner accounts.
Advanced Threat Detection & Response – Stopping Attacks Early: In today’s threat landscape, prevention must be coupled with detection. Peritus provides Extended Detection & Response (XDR) and managed security monitoring services to catch intrusions in real time. We deploy intelligent monitoring across your endpoints, network traffic, cloud workloads, and identity systems. This means if an attacker tries to impersonate an employee or log in from an unusual location, our systems can generate alerts based on that abnormal behavior. We use a combination of rule-based detection and machine learning analytics (yes, the good side of AI) to quickly spot patterns that could indicate a breach – such as a user suddenly accessing large amounts of data at 3 AM, or the same account logging in from two countries within an hour. Our Security Operations Center (SOC) analysts are on call to investigate and help you respond immediately, 24/7. With Peritus’s monitoring, you gain the peace of mind that even if attackers slip past some defenses, they won’t operate undetected for long. Rapid detection significantly limits the damage, as it enables you to contain and eradicate the threat before ransomware fully deploys or data is exfiltrated.
Human Risk Management and Training – Fortifying Your First Line of Defense: Technology alone isn’t enough – your people are a crucial layer of defense. Peritus offers Human Risk Management services that include security awareness training, phishing simulations, and even executive cyber coaching. We help cultivate a security-first culture in your organisation. Employees learn how to recognise phishing emails, suspicious calls, and other social engineering ploys (including the latest AI-driven scams). By running realistic simulations, we identify which employees or departments might need extra training or tighter controls, turning the human weakness into strength. We can specifically tailor programs to threats like those seen in the M&S attack – for instance, training helpdesk staff on new verification protocols, or educating all staff on the risks of unsolicited password reset requests. Our approach makes security awareness engaging rather than a checkbox, so your team remains vigilant in the face of ever-evolving attacker tactics.
Zero Trust Architecture & Cloud Security – Build Security into Your Core: As businesses modernise and move to cloud and hybrid environments, Peritus specialises in designing and implementing Zero Trust architectures and robust Cloud Security frameworks. We bring deep expertise in Identity and Access Management (IAM) and Privileged Access Management, ensuring that principles like least privilege and continuous authentication are enforced across your IT ecosystem. If you’re looking to implement Zero Trust, our consultants can develop a roadmap and architecture: from segmenting your networks, to deploying solutions like conditional access, single sign-on and MFA everywhere, to setting up micro-segmentation in your cloud (using Cloud Native Application Protection Platforms or third-party tools). We are vendor-agnostic and familiar with leading technologies, meaning we recommend solutions tailored to your stack – be it Microsoft-centric, AWS/Azure cloud, or hybrid. Additionally, our Cloud Security Posture Management services help you reduce misconfigurations in cloud resources (for example, ensuring storage buckets aren’t left open, and that your backup systems are properly isolated from your main network to survive a ransomware attack). By partnering with Peritus to embrace Zero Trust and cloud security best practices, you significantly harden your defenses against breaches like the one M&S experienced.
Incident Response Readiness – Be Prepared, Not Panicked: Drawing on lessons from incidents like M&S, Peritus offers services to make sure if the worst happens, you’re ready. Our Cyber Incident Exercising service conducts tabletop simulations and live drills with your team. We walk you through realistic breach scenarios (e.g., a ransomware outbreak) to test your response plans, roles, and decision-making. This way, if a real incident occurs, your team will have muscle memory and confidence in handling it, reducing confusion and delays. We can also assist in developing or refining your incident response plan and playbooks – aligning them with NCSC guidance and international standards. And should you need emergency help, Peritus can serve as a first responder with expert incident handlers to contain and eradicate threats. Think of it as cyber fire-fighting – you hope to never need it, but it’s critical to have a trusted partner on call. By preparing in advance, you’ll fulfill the mantra of “preparation and resilience” that NCSC advocates.
Ongoing Advisory and vCISO Support – Strategic Guidance: Security is an ongoing journey. Peritus provides Virtual CISO (vCISO) and ongoing advisory services, which means our seasoned security leaders can work with your executive team to navigate the strategic aspects of cybersecurity. We keep you updated on emerging threats (like new ransomware tactics or AI threats) and compliance requirements, helping you adapt your security strategy proactively. For example, if new regulations emerge post-M&S incident (perhaps mandating certain cyber controls in critical retail), our experts would brief you and help implement necessary measures. We also help you align security initiatives with business goals – turning cybersecurity from a cost center into a business enabler, much as M&S’s CEO framed their accelerated investments as making the company stronger. In essence, we become a trusted partner in your security program’s success, available for consultation whenever needed.

Why Peritus?

In delivering these services, Peritus prides itself on a few principles that set us apart. We offer vendor-neutral advice, ensuring you get solutions that truly fit your needs (not a one-size-fits-all product pitch). Our team comprises senior experts – when you work with us, you interact directly with experienced consultants who have “seen it all,” not junior staff. We move quickly and pragmatically; we know that in business, time is of the essence, especially after something like a cyberattack, so we aim to deliver results fast without sacrificing quality. And importantly, we focus on real-world solutions – as our motto says, “cloud security that works in the real world”. That means we help you implement controls that are practical, managed, and actually improve security rather than just adding complexity.

With Peritus Cloud Security as your ally, you gain not just tools or checklists, but a holistic strategy and the hands-on support to execute it. Whether it’s preventing the next breach through strong preventive measures and training, or preparing to handle incidents with minimal damage, we cover the full spectrum. Our mission is to make sure that your organisation does not become the next headline, and that you can pursue innovation and growth with confidence in your security posture.

Lessons Learned: Moving Forward After the M&S Attack

The April 2025 attack on Marks & Spencer was a sobering demonstration that even the most established businesses can be brought to a standstill by a savvy cyber adversary. It highlighted the importance of preparedness, the evolving nature of threats (from third-party weaknesses to AI-enhanced deception), and the value of collective defense. For UK retailers and organisations worldwide, the message is clear: cybersecurity is now a fundamental business concern, integral to operational resilience and customer trust. Threat actors will continue to refine their tactics – targeting our people, our partners, and our most critical systems – so we must continuously adapt and strengthen our defenses.

The good news is that by learning from incidents like the M&S breach and embracing modern security strategies (Zero Trust architectures, robust third-party risk management, AI-driven defenses, and more), businesses can greatly reduce their risk and limit the impact of any attack. Proactive investment in cybersecurity – treating it not as an IT cost, but as an essential component of business continuity and trust – pays dividends in the long run. As one analysis noted, companies that “invest early in defenses… could gain a lasting edge,” whereas those that delay face existential threats. In other words, cyber resilience is becoming a competitive differentiator.

At Peritus Cloud Security, we are passionate about helping organisations achieve that resilience. We hope this deep-dive report has provided valuable insights into the M&S incident and its implications. More importantly, we encourage you to take action on these insights. Don’t wait for a breach to force your hand. Whether it’s shoring up access controls, revisiting your incident response plans, or rolling out advanced threat monitoring, the time to act is now – before the next crisis hits.

Ready to strengthen your cybersecurity posture? Contact Peritus Cloud Security today to discuss how we can support your business. Our experts are here to listen to your concerns, share guidance, and tailor solutions that fit your unique environment. We offer a range of engagement options – from quick advisory calls to comprehensive security program overhauls. Even if you just want a second opinion on your current security strategy, we’re happy to help.

Let the lessons of the M&S cyberattack be the catalyst for positive change in your organisation. With the right measures in place and trusted partners by your side, you can face the future with confidence, knowing you’ve done all you can to protect your enterprise and customers. Reach out to Peritus Cloud Security for a consultation or to schedule a free cybersecurity health check. Together, we’ll build a proactive and resilient defense that keeps your business secure in the face of whatever challenges tomorrow brings.

Ready to assess your Cyber Security?

BOOK YOUR FREE HEALTH CHECK