Marks and Spencer successfully resumes their click-and-collect service
The Marks and Spencer (M&S) cyber attack in April 2025, attributed to the cybercriminal group Scattered Spider, has underscored the critical importance of a holistic approach to cybersecurity. The attack, which is estimated to cut M&S's profits by up to £300 million this year, exploited weaknesses in helpdesk procedures and resulted in the deployment of ransomware and data exfiltration.
Following the incident, experts have emphasized the need for organizations to strengthen their basic cyber hygiene measures, particularly regarding social engineering defenses, identity and access management, and third-party access oversight.
Key Recommendations for Organizations
In light of the M&S breach, the National Cyber Security Centre (NCSC) has issued guidance to tighten up security practices. Here are some key recommendations:
- Strict enforcement of Identity and Access Management (IAM): Ensure strong authentication methods, including mandatory multi-factor authentication (MFA) for all user accounts, particularly those with privileged access.
- Enhanced employee awareness and training: Focus on social engineering tactics like phishing and vishing, since human error was a major factor in the M&S breach.
- Robust monitoring and anomaly detection: Implement continuous monitoring tools to detect unusual activities promptly, such as unexpected credential changes or access patterns.
- Rigorous third-party risk management: Carefully vet and continuously oversee all third-party providers and their access controls, since attackers exploited a third-party IT provider in this case.
- Operational resilience planning: Develop clear incident response and recovery plans to minimize disruption if an attack occurs.
Preventable Breach Illustrates Compliance Gap
The M&S breach is considered preventable with adherence to these foundational cybersecurity practices, illustrating a compliance gap that many organizations need to address to avoid similar crises. Furthermore, this incident exemplifies how low-tech social engineering can bypass sophisticated technical defenses, reinforcing NCSC advice to prioritize human factors and controls over solely relying on technology.
Effective Cybersecurity Requires a Holistic Approach
The primary takeaway for organizations is that effective cybersecurity requires a holistic approach combining strong access controls, staff training, continuous monitoring, and strict third-party governance to reduce vulnerabilities exposed by the M&S cyber attack and recommended by the NCSC in their recent guidance.
Additional Measures for Senior Employees
Particular caution should be exercised for senior employees with escalated privileges, such as Domain Admin, Enterprise Admin, and Cloud Admin accounts. These accounts are prime targets for attackers, and extra measures should be taken to secure them, such as implementing stricter password policies, enabling MFA, and limiting access to only necessary services.
M&S Resumes Click-and-Collect Services
Following the incident, M&S halted online ordering for clothing, home deliveries, contactless payments, and click-and-collect systems in April. However, the company has now resumed click-and-collect services, allowing customers to collect their orders from stores.
References
[1] National Cyber Security Centre (NCSC). (2025). Guidance for organisations following the Marks and Spencer (M&S) cyber attack. Retrieved from NCSC website
[2] National Cyber Security Centre (NCSC). (2025). Social engineering: Protect your organisation from human-led attacks. Retrieved from NCSC website
1.ORGANIZATIONS SHOULD STRENGTHEN THE BASIC CYBER HYGIENE MEASURES TO REDUCE VULNERABILITIES, AS SUGGESTED BY THE NATIONAL CYBER SECURITY CENTRE (NCSC), WHICH INCLUDE STRICT ENFORCEMENT OF IDENTITY AND ACCESS MANAGEMENT (IAM), ENHANCED EMPLOYEE AWARENESS AND TRAINING, ROBUST MONITORING AND ANOMALY DETECTION, RIGOROUS THIRD-PARTY RISK MANAGEMENT, AND OPERATIONAL RESILIENCE PLANNING.
2.GIVEN THE CRIMINAL GROUP SCATTERED SPIDER'S CYBER ATTACK ON MARKS AND SPENCER (M&S) AND THE ILLUSTRATION OF A COMPLIANCE GAP, IT IS CRITICAL TO IMPLEMENT AN EFFECTIVE CYBERSECURITY APPROACH THAT COMBINES STRONG ACCESS CONTROLS, STAFF TRAINING, CONTINUOUS MONITORING, AND STRICT THIRD-PARTY GOVERNANCE, AS PER Cecited by the NCSC AND TO PRIORITIZE HUMAN FACTORS AND CONTROLS OVER RELYING SOLELY ON TECHNOLOGY.
