The evidence given by senior Marks & Spencer leaders to the Parliamentary SubCommittee on UK Economic Security is one of the most detailed and candid public accounts of a major cyberattack on a British retail institution. Their testimony reveals stark lessons about organisational resilience, supply chain dependencies, national capability and the real-world impact of modern ransomware groups.
Here are my key takeaways from the session and thoughts on what can be learned from the incident.
1. No organisation can be too mature, too large, or too well-prepared.
Despite extensive investment in cyber defences – including scenario planning, red team exercises, board level awareness and strengthened identity controls – M&S was still successfully compromised. In the last three years, M&S trebled the number of people working on cyber security to over 80 and doubled the amount of expenditure on cyber security.
Key takeaways:
- Cyber maturity does not equal immunity. Even well prepared organisations with strong controls, cyber insurance and dedicated response teams remain vulnerable.
- Threat actors only need one successful entry point, particularly where attack surfaces include tens of thousands of users, contractors and legacy environments.
This reinforces a fundamental shift in mindset: move from a prevention-only focus to assuming compromise and focusing on resilience.
2. Social Engineering remains a highly effective attack vector.
The initial intrusion on 17 April 2025 was achieved through sophisticated impersonation involving a third-party element. The attacker appeared as an individual with known details and successfully convinced internal teams.
Key takeaways:
- Attackers increasingly use detailed, contextualised identity impersonation.
- Compromise via third party access routes presents persistent risk.
Even advanced MFA implementations may not prevent manipulation of people and processes.
3. Legacy Environments can present a major weakness
M&S have legacy systems still in operation. As an organisation utilising a hybrid of old and new systems, M&S found it challenging to segregate operations, which provided the attackers an increased opportunity to move laterally through their systems. Legacy systems often have outdated architectures and may not be compatible with newer technologies that have more robust security measures.
The testimony highlights the difficulty of securing an enterprise with:
- Hybrid of old and new systems.
- Interconnected services across multiple sites.
- Legacy ERP and financial platforms.
- Historic technical debt accumulated over decades.
As a result of the incident, M&S will be bringing forward some of the rebuilding of their aging systems.
4. Cyber-attacks are business impairing and are not just incidents isolated to IT systems.
The M&S evidence shows that cyber incidents can have a huge impact on:
- Operations
- Supply chains
- Finance
- Reputation
- Customer experience
- Board governance
£300m in lost profit was the estimate for this incident – excluding the wider indirect costs. M&S online retail was offline long enough to cost £10m in lost profit per week.
This reinforces the need for:
- Board level preparedness
- Executive accountability
- Proper scenario testing
- Clear decision-making structures during crisis management
5. Is an organisation prepared to operate without technology?
One of the simplest but most powerful lessons shared: ‘Make sure you can run your business on pen and paper.’
This may feel counter-intuitive in an age of cloud automation, but M&S’ experience shows:
- Manual processes were critical to maintaining retail operations.
- Organisations with no analogue fallbacks would have failed.
So what?
The M&S cyber-attack was not merely a corporate incident – it was a real world demonstration of how modern ransomware operations can disrupt a critical part of the UK economy. It underscores that:
Cyber security is a national resilience challenge, not just an IT function.
Boards must take an active, informed role in cyber governance.
The economic cost of inaction is far greater than the investment required for resilience.
In the same way that The British Library did in 2024, there is much that we can learn from organisations like M&S being transparent in sharing their experience. There will have been other major cyber-attacks on large UK companies that have gone unreported. What if mandatory reporting to the National Cyber Security Centre was introduced so that we could enhance the intelligence we have and improve our preparedness for future attacks?
If the UK wants to remain ‘the safest place in the world to do business’ – as the Committee chair suggested – then these lessons must be urgently adopted across both private and public sectors.
Written by Lekai Lee, Cyber Security Consultant at Arcanum Cyber Security and OxCyber Ambassador
