Cyber Security: What’s the Impact of the M&S Data Breach?

The cyber-criminal collective known as Scattered Spider (also operating under names like Octo Tempest, UNC3944, Muddled Libra, Scatter Swine) has been active since about 2022. They specialise in social engineering: phishing, impersonation, posing as IT support staff, bypassing multi-factor authentication (MFA), particularly targeting help-desks and remote-access portals.

By leveraging human and process vulnerabilities rather than purely technical ones, they’ve become a rising threat to large organisations in the UK and beyond.

This incident for Marks & Spencer (M&S) was not a typical firewall or missing-patch scenario. The initial compromise was confirmed to have stemmed from social-engineering of a third-party vendor, attackers manipulated IT help-desk processes and bypassed MFA controls to gain access.

The key takeaway: human and process vectors (such as vendor access, help-desk reset flows, remote support) remain among the weakest links in cyber defences.

Once the breach hit on 17 April 2025, M&S faced several steps for recovery:

• Online clothes and third-party brand sales were restored in June.

• Food delivery / click-and-collect services returned in July.

• Warehouse disruption forced partial furloughs (~200 staff) while in-store teams faced stock shortages.

• In July 2025, M&S announced it had ended its IT service-desk contract with Tata Consultancy Services (TCS) after a decade-long partnership, though both parties emphasise the decision was part of a standard procurement process and not directly triggered by the breach.

The financial hit was substantial:

• Reports indicate over £1 billion was wiped from M&S’s market value in the weeks following the incident.

• Operating profit for 2025/26 is expected to fall by around £300 million.

• M&S is pursuing a claim of approx. £100 million under its cyber-insurance policy, though policy exclusions might limit the payout

Rebuilding customer confidence often takes much longer than restoring systems. Indicators include:

• Before the incident ~87% of customers said they would recommend M&S; after the breach that fell to ~73%.

• M&S reinstated perks (e.g., birthday treats for 1.8 million customers, staff/contractor discounts) in recognition of customer loyalty and patience.

In a competitive retail scene where switching providers is easy, the reputational hit is significant.

For boards and senior leadership, this event serves as a strategic wake-up call. Essential actions include:

• Zero-trust architecture: limiting damage even when one account is compromised.

• MFA & phishing resistance: use authentication flows that resist social engineering.

• Vendor access controls: treat third-party and partner access as part of your perimeter.

• Independent security audits: uncover blind spots before attackers do.

• Continuous user & process training: the weakest link often remains human error.

In July 2025, M&S concluded the service-desk contract with TCS after a long partnership (over a decade). The decision followed a procurement process initiated in January and is claimed to be unrelated to the cyber-attack. 

Key takeaway: Outsourcing critical functions (help-desk, privileged support, vendor access) introduces risk vectors. When you delegate such services, ensure oversight, strong contract terms (SLAs, incident-response obligations), and continuous vendor-risk management, such services must be treated as part of your security control framework, not just cost items.

Most of M&S’s systems are back online, and external cyber-security specialists have been engaged to bolster defences. Yet the combined cost, both financial (estimated ~£1.3 billion including market value loss), and reputational, underline how a single breach can shape an organisation’s trajectory for years to come.

Notably, M&S’s chair has publicly called for mandatory cyber-incident reporting for large companies, citing that many attacks go unreported.

If you’re unsure of your current posture, whether your knowledge, skills, process or vendor-governance need strengthening, start by reviewing how you select and manage your managed IT services. For guidance, you can read our resource: How to Find the Right Managed IT Services First Time.

You can also take our free cyber security assessment and get complete insight into your security posture.