Cyber reality check: The M&S breach and the compliance gap

By Paul C Dwyer, 11 August 2025

What does it take to bring a £10 billion retail giant to its knees? In April 2025, the answer was disturbingly simple: a compromised helpdesk call.

Marks & Spencer (M&S), one of the UK’s most established retail brands, suffered a cyberattack that reverberated across both the cybersecurity and business communities. What first appeared to be “minor technical issues” over the Easter weekend rapidly evolved into a full-blown operational crisis – crippling online orders, disrupting in-store services, and exposing sensitive customer data.

While the company’s PR machine moved quickly to shape the public narrative, the reality behind the press releases reveals a deeper, more uncomfortable truth.

This article cuts through the surface to examine the regulatory and operational questions this incident raises, especially for those of us working in compliance, operational resilience, and executive education.

A preventable crisis?

This wasn’t a state-sponsored cyberwarfare scenario or a zero-day exploit hidden in deep code. The attack was allegedly carried out by Scattered Spider, a cybercriminal group notorious for social engineering rather than technical sophistication.

According to reports [1], the attackers targeted a third-party IT provider – reportedly Tata Consultancy Services – by tricking helpdesk personnel into resetting access credentials and disabling multi-factor authentication (MFA). Once inside, they deployed a ransomware variant, DragonForce, encrypting core systems (including Active Directory) and exfiltrating sensitive customer data.

Let that sink in.

• No elite-level hacking.
• No cutting-edge malware.
• Just social engineering and weak controls.

Therefore, this was an avoidable breach made possible by:

• poor enforcement of identity and access management (IAM)
• inadequate monitoring for anomalous activity, and
• weak oversight of third-party access.

It’s a textbook failure in basic cyber hygiene, and one with catastrophic consequences.

Would compliance with DORA, NIS2, or the UK framework have helped?

There’s a common argument that no regulatory framework can prevent all cyberattacks. That’s true. But that’s not the point.

Compliance isn’t about perfection. It’s about minimising impact, accelerating response, and ensuring resilience.

Take the UK Operational Resilience Framework (ORF). It requires organisations to:

• identify their most important business services
• map dependencies, and
• define tolerance levels for disruption.

Had these principles been rigorously applied at M&S, the organisation might have had:

• better insight into which services (e.g., online shopping, click-and-collect) were critical
• rehearsed contingency plans, and
• tested alternatives ready for deployment.

Similarly, under the EU DORA regulation and the NIS2 directive, entities and their third-party providers are expected to:

• enforce robust ICT risk management practices
• perform resilience testing, and
• maintain strong incident readiness and threat detection capabilities.

Had M&S or its vendors operated under these frameworks:

• privileged access would have been tightly managed
• MFA would have been properly enforced
• response playbooks might have enabled faster containment
• downtime could have been measured in hours, not weeks, and
  customer-facing disruption could have been minimised.

So, while no regulation offers a “cyber force field”, adherence to these frameworks could have drastically reduced the blast radius of this incident.

The cost of non-resilience

Let’s talk impact.

Estimated profit hit: Over £300 million.

Market capitalisation loss: More than £1 billion.

Legal fallout: Negligence lawsuits underway in Scotland. [2]

Customer impact: Hundreds of thousands affected.

Recovery timeline: Full digital restoration took more than two months.

All of this at a company with a strong brand, deep customer loyalty, and substantial resources.

Stores resorted to paper-based systems. Refrigeration logs were handwritten. Click-and-collect was suspended. Customers complained of cancelled orders, unresponsive systems, and misinformation.

And it all began with a phone call to a helpdesk.

This isn’t the plot of a cyber-espionage thriller. This is a case study in executive oversight failure and strategic under-preparedness.

Lessons for the leaders of tomorrow

To our ICA students and executive learners, the message is clear:

Cyber resilience is not a checkbox. It’s a culture.

You don’t build resilience by writing policies and calling it a day. You build it by embedding awareness, accountability, and realism into your operations – especially at the leadership level.

Ask the hard questions.

• Are we pressure-testing our resilience under real-world attack scenarios?
• Have we clearly defined our most critical business services and acceptable outage thresholds?
• How robust is our oversight of third-party service providers?
• What real-time indicators are we using to measure digital health?

This is precisely why the ICA and EU Cyber Academy have partnered – to equip tomorrow’s leaders with the tools, insight, and frameworks they need to defend their organisations in an increasingly hostile digital world.

Final thought: Don’t applaud the recovery – learn from the failure

Final thought: Don’t applaud the recovery – learn from the failure

M&S will recover. They always do. Their PR team performed admirably.

But let’s not miss the point: this was a preventable crisis.

We must stop treating cybercrime as a purely technical concern or a back-office inconvenience. It’s a strategic business threat that demands boardroom attention and action.

The next breach won’t just cost money – it will cost trust. And in the digital age, trust is currency.