What Every Business Can Learn from the M&S Cyber Attack
In May 2025, Marks & Spencer made headlines, but not for the reasons they’d like. A reported £300 million cyber attack disrupted operations, impacted customer trust, and exposed a painful truth for businesses everywhere: even the best-known brands can fall victim to human error.
But this wasn’t a case of cutting-edge tech being outsmarted. It was a breakdown in basic process. A single moment of misplaced trust — and a password reset by a third-party IT engineer — was all it took.
So, what can your business learn from the M&S cyber attack mistake?
Table of Contents
What Actually Happened? A Quick Recap
The breach didn’t start with a clever virus or an unpatched server. It started with a phone call.
An attacker impersonated a M&S employee and contacted the company’s third-party IT helpdesk. The engineer on the other end — likely under time pressure — reset the password without going through proper verification steps. That single misstep handed control to the attacker.
From there, systems were compromised, data accessed, and the financial damage escalated quickly.
This wasn’t a technology failure. It was a people and process failure.
The Weakest Link: People and Process
Despite advanced cyber security tools, human error remains the number one way hackers get in.
As CYAN’s security analyst Kelly puts it:
“Time pressures, a lack of awareness, and weak procedures can turn even the best teams into a liability. This is especially true when identity verification is skipped or rushed — and attackers know it.”
Here’s where the cracks often appear:
- No robust identity checks before account changes
- Helpdesk engineers acting alone without oversight
- No multi-layered process to catch unusual or urgent requests
- No training on AI-generated voice or phishing tactics
When your IT partner isn’t on guard then your business becomes the target.
How to Spot Risk in Your Own IT Support
You trust your IT provider with the digital keys to your business. But how do you know they’re following the right security playbook?
Start with these questions:
- Who has access to our systems and how is that access tracked?
- How do you verify user identity during support requests?
- Are your team trained in social engineering threats and AI voice cloning?
- How often do you review or test security protocols?
If the answers are vague or unclear, that’s your warning sign.
Simple Steps to Stay Protected
Here are some quick wins any business can do to make a big difference:
- Enable Two-Factor Authentication (2FA) – It adds a second lock on the door, even if someone has your password.
- Never trust a request at face value – Always verify a user’s identity before making changes — even if they sound familiar.
- Keep social media profiles private or limited – Public staff directories or contact details can be used to impersonate your team.
- Train your staff (and providers!) on modern phishing tactics – AI voice scams and urgent requests are the new normal.
- Use access controls and shared logins wisely – No single user should have unchecked admin privileges.
For more tips on protecting your business, the National Cyber Security Centre (NCSC) offers clear, trusted guidance for organisations of all sizes. We also recommend checking the latest Verizon Data Breach Investigations Report for insight into how breaches really happen.
Final Thought: Trust Your IT Provider — But Verify Everything
This M&S cyber attack is a timely reminder: even brands with big budgets can get caught out when human decisions aren’t backed by process.
And while you might not be a household name, the same rules apply. The IT provider you choose — and the checks they use — could be the difference between business as usual and a very bad day.
Need a second opinion on your current support setup?
CYAN helps growing organisations build security-first IT systems with smarter, safer processes.
Let’s Chat
