What are great businesses learning from the M&S cyber attack?

If retail giants with big IT budgets can get hit, what does that mean for the rest of us?

Two of the UK’s most recognisable brands, M&S and Co-op, were recently thrust into the headlines for becoming the latest victims of ransomware attacks. While the breaches hit retailers, the ripple effects offer stark warnings for any business holding customer data and relying on digital operations, especially professional service firms that often handle incredibly sensitive information

This article breaks down what happened, how the hackers gained access, and the key lessons that businesses of all sizes (including yours) can take away.

How? Exploiting human nature

The attack on M&S is believed to have been carried out using social engineering, a tactic where cybercriminals impersonate others to trick employees into revealing login credentials or clicking malicious links. Once inside, the attackers deployed ransomware, blocking access to important systems and data, until the demanded payment was made.

While M&S has not released full technical details, it confirmed that customer information such as names, addresses, emails, and order history was accessed. Payment card details were reportedly unaffected, but the breach still presents a serious risk. Why? Because seemingly harmless data points become highly valuable in the hands of cybercriminals when pieced together.

The cost of cybercrime

Financial impact

Operational systems, including online orders and click-and-collect services, were disrupted, costing M&S millions in lost sales and causing a drop in share value. For businesses that rely on uninterrupted digital services, even one day offline could mean serious losses.

Reputational damage

Consumer trust is fragile. A breach, even one caused by a third party, can erode confidence, especially in businesses that hold personal or sensitive information. Even if they are a national institution with great Christmas adverts!

What this means for professional services organisations

You might not be in retail, but the way attackers gained access was through human manipulation, not sophisticated code and this should sound alarm bells. The weak link was not a firewall or server, but an untrained employee which could happen to absolutely anyone.

Key risks

  • Sensitive client data (such as financial records or contracts) being compromised
  • Loss of access to critical systems, halting productivity
  • Reputational harm among high-trust clients
  • Legal liability under data protection laws

What you can do right now to improve security

Train your team, and regularly!

Employees are your first line of defence. Invest in practical, scenario-based training on phishing, spoofed emails, and social engineering tactics. Make it ongoing, not a once-a-year checkbox. We’ve got a great tool to help identify weak points in team members’ knowledge, so we can deploy the right training exactly where it’s needed most.

Limit access to sensitive systems

Review who can access financial data, HR records, and client files. If someone doesn’t need admin rights, don’t give them admin rights. Every unnecessary login is another potential access point for hackers.

Do yer updates!

Outdated software is a hacker’s best friend. Regular patching may seem tedious, but those updates often include fixes for newly discovered vulnerabilities, and can be the difference between a cyber criminal banging on the door and eventually giving up, or waltzing right in like they own the place, then causing chaos.

Develop a cunning plan

Even a basic step-by-step playbook for cyber incidents can prevent panic and reduce downtime. Know who to contact, how to isolate a breach, and how to communicate with clients and stakeholders, keeping them informed throughout.

Cybersecurity isn’t just tech, it’s culture

We often think of cybersecurity as something IT handles in the server room. In reality, it’s a business-wide mindset. When a cyberattack strikes, it doesn’t just affect your machines; it halts your operations, damages your reputation, and risks your client relationships.

Ask yourself honestly: could your business afford three days offline? Or would a breach leave you scrambling to explain what went wrong?

Let’s talk about your setup

If this story hits a little too close to home, or just raises questions you’ve been meaning to answer, get in touch. We can help assess your current cybersecurity readiness, train your team to spot red flags, and put practical safeguards in place.

Cyber threats aren’t slowing down. But with the right approach, you can stay ahead of them.

Further reading: What the M&S incident means for SMEs

3rd July 2025

Your Windows Server 2012 Is a Ticking Time-Bomb

Running Windows Server 2012 after its end-of-support date is like driving without MOT or insurance. Sure it’s possible but the ramifications are coming in a matter of time rather than chance.

Learn more
27th June 2025

Underestimating Backup Can Cost Your Business Millions

Many small business data backups aren’t going to cut it in an emergency. This week we explain why one copy isn’t enough and what to do before your business data goes missing.

Learn more
18th June 2025

Why MFA Prompts Are the New Hacker Trick (and What to Do About It)

MFA fatigue attacks trick business users into approving fake login prompts. We want to tell you how the attacks work, why they’re effective, and what SMEs can do to reduce the risk of MFA fatigue being used as a point of vulnerability.

Learn more