£300 Million and Counting: What the M&S Cyberattack Tells Us About Retail's Vulnerability

Recent research by Thorpe and Partners, in collaboration with The CIO Circle, found that data security is now the number one priority for CIOs across the UK and Europe.

With cyber threats evolving rapidly and targeting the heart of operations, European technology leaders are placing protection of customer data and system resilience ahead of innovation, digital transformation, and even AI.

The urgency of that finding was brought into sharp focus in April 2025, when British retail giant Marks & Spencer (M&S) became the latest high-profile victim of a cyberattack. The breach, attributed to the Scattered Spider hacking group, caused major disruptions across operations and is expected to cost the business £300 million in lost revenues.

Social Engineering: The Weakest Link is Still Human

Unlike many attacks that rely on brute-force methods or exploiting known system vulnerabilities, this breach at M&S reportedly began with social engineering. Employees were manipulated into granting access to systems—an approach that bypassed even the most advanced technical defences.

This tactic, which exploits human trust rather than code, highlights an uncomfortable truth: you can’t secure a business with technology alone. As attacks become more sophisticated, businesses must match technical defences with cultural resilience and employee education.

The Supplier Fallout: Disruption Far Beyond the Frontline

The effects of the attack weren’t limited to M&S alone. Suppliers and partners were caught in the chaos as order systems and digital workflows collapsed. Delays in communication, halted orders, and missing payments meant suppliers—especially smaller firms—faced operational paralysis and financial strain.

This underscores a critical point: a cyberattack on one major player affects the whole ecosystem. Businesses must not only secure their own infrastructure but build collective resilience across the supply chain.

Cybercrime Trends: The UK & Europe Under Siege

While data security is a top priority for UK and European CIOs, the picture is more complex globally. According to the same Thorpe and Partners research, US CIOs tend to rank data security below AI implementation and digital growth. This divergence may partly explain why the US remains the most targeted country for cyberattacks, accounting for 46% of global incidents.

In contrast, the UK now ranks eighth in the world for cybercrime threat levels, with businesses being targeted every 44 seconds. Ransomware, phishing, and social manipulation are among the most prevalent threats, particularly in retail, finance, and logistics.

What the M&S case makes clear is that cyber resilience can no longer be left solely to IT departments. It requires board-level attention and technology leadership that drives action across every layer of the business.

Tackling the issue:

1. Education Must Be Universal

   Cybersecurity isn’t just a tech issue—it’s also a people issue.

   All employees, from the shop floor to the boardroom, must be trained to spot and stop manipulation attempts and phishing tactics.
   

2. CIOs and CISOs Must Lead the Cultural Shift
   Technology leaders need to go beyond systems governance. They must be visible champions of security culture, influencing investment, change programmes, and board strategy to prioritise resilience.

3. Disaster Recovery Planning Must Be Rigorous and Tested
   It’s no longer acceptable to “hope for the best.” Business continuity plans should be regularly rehearsed, updated, and embedded across teams to minimise downtime and reputational damage.

4. Ensuring you have the right talent

   Building capability and capacity is key to ensure organisations have the skills to secure their operations and react quickly to attack.
   

The M&S breach is more than an isolated incident—it’s a warning. In a digital world, every business is a data business, and resilience is no longer optional.

With UK and European CIOs already prioritising security, the opportunity now is to build not just defences, but shared accountability and lasting cultural change. Because when the next attack comes—and it will—only organisations that are prepared at every level will withstand the storm.

Photo byOleksandr Chumak