The Marks & Spencer Cyberattack One Year On

Marks & Spencer Cyberattack: By the Numbers

• £300M+ in losses
• 6+ weeks of operational disruption
• Millions of customer records exposed
• 100% business impact from stores to supply chain
• 2-stage attack with exfiltration first and ransomware second
• 1 help desk interaction to gain access
• 0 vulnerabilities exploited

More than anything, the incident highlighted a critical shift: stopping data exfiltration is now just as important as stopping the attack itself.

Here is what happened and what every organization should learn from it.

What Happened: Key Facts from the M&S Cyberattack

1. The attack cost up to £300 million

M&S estimated the financial impact could reach over £300 million, driven by lost sales, disruption, and recovery costs.

2. Customer data was stolen

Attackers accessed personal customer data, including names, addresses, and order histories. This confirmed a clear data exfiltration component.

3. Online operations were down for weeks

M&S was forced to halt:

• Online orders
• Click and Collect services
• This was a prolonged outage, not a short-term disruption.

4. Store operations were heavily disrupted

Payment systems failed, stock systems went offline, and some stores reverted to manual processes just to keep trading.

5. The breach started with social engineering

Attackers impersonated employees and convinced IT or help desk staff to reset credentials. They bypassed MFA without exploiting a single vulnerability.

6. Third-party access was likely involved

The attack is believed to have originated through a third-party provider, reinforcing the risk created by extended vendor access.

7. Data was stolen before ransomware was deployed

Like most modern attacks, exfiltration came first, followed by ransomware. This enabled double extortion.

8. The impact reached the boardroom

The scale of the attack triggered board-level scrutiny, reputational damage, and investor concern. A number of board-level employees have since left their positions in the company.

What the M&S Attack Taught Us

1. Data exfiltration is now the real objective

This was not just about locking systems. It was about stealing data first.

Modern ransomware groups prioritize exfiltration because it:

• Increases leverage
• Extends the impact beyond recovery
• Triggers regulatory and reputational fallout
• Stopping data from leaving the network is now critical.

2. The human layer is the new attack surface

No exploit. No malware chain. Just a convincing interaction.

Attackers:

• Target people instead of systems
• Use social engineering to bypass controls
• Even strong security can be undone by human manipulation.

3. Third-party risk remains the weakest link

Trusted partners can quickly become entry points.

If a supplier has access to your systems, they expand your attack surface.

4. Detection alone is not enough

By the time suspicious activity was identified, attackers were already inside.

Detection tells you it happened. Prevention limits what happens next.

5. Cyber incidents are now business continuity events

This attack disrupted:

• E-commerce
• In-store operations
• Supply chains
• Cybersecurity is no longer just IT. It is operational resilience.

6. Ransomware attacks are more strategic and less visible

Attackers likely spent time inside the network:

• Moving laterally
• Identifying high-value targets
• Exfiltrating data quietly
• By the time ransomware is deployed, the real damage is often already done.

7. Retail is a high-value target

Retailers hold vast amounts of customer data and rely on complex systems. That makes them prime targets.

Organizations should assume they are at risk, not exempt.

One Year On: The Bigger Picture

The M&S attack was not an isolated incident. It reflects a broader shift toward:

• Data-first ransomware
• Human-led attacks
• Exploitation of trusted relationships
• It also exposed a critical gap in traditional security strategies.

Final Takeaway

In today’s threat landscape, the real impact of an attack is not access. It is data loss. Learn more about how ADX Protect can protect your business from ransomware and data exfiltration.