🛡️ Overview of the Cyberattack

Marks & Spencer (M&S), a leading UK retailer, recently experienced a significant cyberattack that began over the Easter weekend. The incident disrupted contactless payments, online order processing, and click-and-collect services across its stores. M&S temporarily suspended these services and took parts of its systems offline to safeguard operations .​

The company has enlisted the support of the UK's National Cyber Security Centre (NCSC) and the National Crime Agency to investigate the attack and determine if foreign actors were involved .​

🔍 Customer Impact

While M&S stores remained open, customers faced delays in online deliveries and issues with contactless payments. Many shoppers expressed frustration on social media platforms, highlighting the inconvenience caused by the disruptions .​

Despite the challenges, M&S assured customers that their personal data had not been compromised and no action was required on their part .

🛠️ Company Response

CEO Stuart Machin publicly apologized for the inconvenience and emphasized the company's commitment to resolving the issue swiftly. M&S is collaborating with cybersecurity experts to strengthen its systems and prevent future incidents.​

🧠 Behind the Attack: What Might've Gone Wrong

While M&S hasn’t disclosed the technical details (and they probably won’t), the kind of widespread operational disruption seen here usually points to one of three core culprits:

1. Ransomware: Attackers encrypt systems critical to payment processing, online orders, and supply chain.

2. Compromise of IT Infrastructure: Think domain controllers, DNS poisoning, or firewall misconfigurations.

3. Third-party or supply chain attack: M&S relies on loads of external tech partners. If one gets popped, the damage spreads fast.

🧩 What This Reveals About Modern Threats

• Even non-financial data systems are prime targets: The attackers didn’t go after customer data this time — they hit business continuity.

• You don’t need to steal data to do damage: FCA-regulated firms especially need to understand this — denial of service = breach of trust + operational failure, which is an FCA red flag.

• Attackers timed it well: Easter weekend = skeleton crew = longer time to detect/respond = bigger blast radius.

⚖️ What FCA-Regulated Firms Should Take from This

• Operational Resilience isn't optional: The FCA expects you to keep running under cyber duress — just like M&S couldn’t.

• Incident response isn’t just a policy: You need playbooks, real drills, tested backups, and actual failovers that work.

• Third-party due diligence is a must: If your systems depend on vendors, your security posture includes their weaknesses.

M&S Cyberattack Summary (Easter Weekend 2025)

• What happened?
  M&S suffered a major cyberattack over Easter, disrupting contactless payments, online orders, and click-and-collect services.
  Core systems were taken offline to contain the damage.

• Customer impact:
  Shops stayed open, but customers faced delays and frustration. M&S claims no personal data was stolen.

• Company response:
  CEO issued a public apology. NCSC and National Crime Agency are investigating. Cybersecurity experts brought in to harden systems.

• Likely cause:
  While details are unclear, the scale suggests possible ransomware, infrastructure compromise, or a third-party supply chain breach.

• What this teaches FCA-regulated firms:

  • Business disruption is a cyber risk — not just data loss.

  • Attack timing (holiday weekend) shows how threat actors exploit low-staff periods.

  • FCA expects operational resilience — this means real-world-tested incident response, not just theory.