Lessons to learn from the M&S Cyber Attack: A wake-up call for IT security

What happened?

Over the Easter weekend, Marks & Spencer (M&S) suffered a major cyber breach that disrupted online payment systems, click-and-collect services, and in-store contactless payments. The attack, attributed to the hacking group Scattered Spider, forced M&S to suspend online orders, refund thousands of customers, and deal with empty shelves and logistical chaos. The financial toll was staggering—nearly £700 million wiped off its market value.

Key lessons to learn from the M&S Cyber Attack

Cybersecurity must be a board-level priority

The M&S breach proves that no organisation is immune. Cybersecurity should not be siloed within IT departments—it must be a standing item at board meetings. Executive teams need to understand the risks and invest in proactive security strategies.

Hybrid working expands attack surfaces

With remote and hybrid work models becoming the norm, businesses must reassess their security frameworks. The flexibility of modern work environments introduces new vulnerabilities that attackers are quick to exploit.

Human error is still the weakest link

Phishing and social engineering remain common entry points. Regular, scenario-based training for staff is essential to reduce the risk of breaches. The M&S incident highlights how even sophisticated systems can be undone by simple mistakes.

Supply chain security is non-negotiable

Your cybersecurity is only as strong as your weakest vendor. The M&S attack underscores the need for rigorous third-party risk assessments and contractual security obligations for suppliers.

Incident response plans must be tested

Having a documented recovery plan isn’t enough. Businesses must regularly test their incident response strategies to ensure they work under pressure. M&S’s delayed recovery shows the cost of being underprepared.

Invest in foundational security technologies

Multi-factor authentication, encryption, and secure access controls are no longer optional. These tools form the first line of defence against increasingly sophisticated threats.

Cyber insurance is a safety net, not a solution

While cyber insurance can help mitigate financial losses, it doesn’t prevent attacks. A clear action plan, trained users, and layered security controls are essential to limit damage.

The bigger picture

The M&S cyber attack is a wake-up call for every business—not just retailers. As digital transformation accelerates, so do the risks. IT leaders must shift from reactive to proactive security postures, ensuring that infrastructure, people, and processes are aligned to defend against evolving threats.

Shoothill encourages organisations to take these lessons seriously and review their cybersecurity strategies today. Because in the world of cyber threats, it’s not a matter of if, but when.