Home » Learn » Key resilience lessons: What can we learn from the M&S cyber attack?

Key resilience lessons: What can we learn from the M&S cyber attack?

In April 2025, Marks and Spencer suffered one of the most disruptive cyber attacks in UK history.

The real value in studying high-profile incidents like this is not the drama of the attack itself, but what it reveals about resilience: what holds up, what breaks and what other organisations should be doing now.

We’ve explored the crisis in depth here. In this blog, Databarracks Resilience Director, Chris Butler, and Deputy Resilience Director, Charlie Maclean-Bristol, outline 6 key lessons organisations should take away.

What happened?

The attack on M&S began with social engineering rather than a technical exploit. The attackers are reported to have gained access via a third-party IT service desk, before moving laterally across the environment.

M&S took core systems offline to contain the threat. Online sales were suspended for 46 days, while Click & Collect remained disrupted well beyond that. Stores stayed open, but parts of the operation had to fall back on manual workarounds, with stock availability and logistics hit hard. The attack is estimated to have cost M&S around £300 million, with £100 million offset through insurance.

The attack coincided with a similar incident at Co-op, later classified by the National Cyber Security Centre as part of a single combined cyber event. The outcomes, however, were very different, with Co-op’s segmented architecture limiting the blast radius and allowing it to keep core services online.

Key resilience lessons

Lesson 1: Cyber insurance is part of your resilience strategy

Cyber insurance proved its value for M&S, not just financially, but operationally.

M&S recovered around £100 million through insurance against a widely reported £300 million impact. That alone shows its value. But insurance also gives you immediate access to specialist support: technical, legal and PR. The last thing you want in a crisis is scrambling to find help. You need to be clear what your policy covers, what it doesn’t, and what support you can call on when an incident occurs.”
Charlie Maclean-Bristol

Lesson 2: Identity is the front door – and service desks are a weak point

In the M&S attack, the attackers didn’t break through technical defences. They used social engineering to get legitimate access.

Identity needs to be treated as the main security boundary. Stronger procedures, verification checks and controls around privileged access are essential, especially for high-risk actions. “Service desks are vulnerable to social engineering attacks because they’re under constant pressure to resolve issues quickly. That creates a trade-off between speed and security, and attackers exploit it.”
Chris Butler

We need the same level of training for social engineering as we have for phishing. Everyone knows not to click a suspicious link. The same awareness needs to apply to someone asking for access. “It doesn’t matter how high your castle walls are if attackers can simply call the gatekeeper and be let in. Staff need both the awareness and the confidence to follow the process, even under pressure.”
Charlie Maclean-Bristol

Lesson 3: Treat third-party risk as a core resilience issue

Around 30% of breaches now originate through third parties (Verizon: 2025 Data Breach Investigations Report), and the M&S attack followed that pattern.

Supplier resilience is part of your resilience, not someone else’s problem.
For large organisations with hundreds or thousands of suppliers, this becomes a practical challenge. You can’t tightly control everything, so the key is prioritisation. Focus on those with access to critical systems and data and make sure your strongest controls apply there.
This goes beyond questionnaires. You need visibility of third-party access, clear accountability in contracts and confidence that suppliers are applying the same identity and security controls as your own teams.”
Chris Butler

Lesson 4: Test and exercise your response frequently

Testing and exercising materially improves outcomes.

As Rob Elsey, Chief Digital and Information Officer at the Co-op, told Parliament: “We had war gamed this precise scenario as a leadership team before, so the board itself was very well prepared for who would take what role. That definitely paid dividends through the crisis.”

“Exercises need to be realistic and frequent. Too often they’re not demanding enough or don’t reflect the pressure of a real incident. Research shows that after around 6 months response capability starts to decline. That should be the minimum interval between exercises.”
Chris Butler

“I am sure that M&S must have exercised their response, but I suspect the challenge they faced was far more extreme than anything they had practised. That’s common. Organisations often avoid ‘Armageddon’ scenarios because they feel too extreme. But it’s something that organisations would benefit from testing. If everything goes down, what do you do? Without practising that, you won’t be ready for these kinds of existential threats.”
Charlie Maclean-Bristol

Lesson 5: Segment systems to limit impact

Once attackers are inside, the question is how far they can move. Containment is what separates an incident from a crisis.

“One of the key lessons here is that you need to limit how far attackers can move. There’s a clear contrast between what happened at M&S and what happened at Co-op, who faced the same threat. Co-op appears to have contained the attackers more effectively, which meant they were able to keep systems running and recover more quickly. M&S, by contrast, experienced much more widespread disruption.”
Charlie Maclean-Bristol

“It makes sense to assume attackers will gain access and design for containment through segmentation. If they reach your Active Directory, they’ve got your crown jewels. Without segmentation, they can move laterally very quickly.”
Chris Butler

Lesson 6: Backups are the foundation of recovery

Recovery from a cyber attack ultimately depends on whether you can restore safely and quickly.

Backups are your route back, and attackers know that too. That’s why they target them. They need to be immutable and effectively air-gapped, so they can’t be tampered with.
You also need to be able to restore into an environment you know is clean. If you can’t trust your backups, recovery becomes much slower and far more uncertain.”
Chris Butler

If attackers can get to both your main systems and your backups, you’re in real trouble. You’re rebuilding from scratch, and that’s massively disruptive. That’s why backups need to be immutable, air-gapped and regularly tested.
You also need to know how long recovery will take, and what you’d need to spend to reduce the downtime. That trade-off between cost and recovery speed is a business decision, not just a technical one.”
Charlie Maclean-Bristol

Closing insights

M&S’s strong financial position and reputation as a trusted, ‘core British brand’ helped it survive the incident. Not many organisations could absorb a disruption costing £3.5 million a day.
The lesson for others, particularly in retail, is how little it takes. Attackers only need to succeed once, and the damage can run into hundreds of millions.
Retail will remain a target. With fine margins and daily revenue at stake, even short periods of downtime are immediately costly, so the focus has to be on limiting impact and being ready to recover.”
Chris Butler

There’s a lot you can point to in hindsight – segmentation, exercising, awareness of the social engineering threat – but it’s also important to recognise the response. Ultimately, M&S managed the recovery successfully. They kept stores trading, communicated fairly well with customers and didn’t promise things they couldn’t do. That meant they avoided the kind of reputational damage we’ve seen with other cyber attacks.
This was possible in part because M&S went into the incident from a position of strength, with a healthy balance sheet and a trusted brand. Customers were willing to cut them some slack on it. Not every organisation would have survived this. A smaller business, or even M&S itself a decade ago, might not have made it through. Strong brands get the benefit of the doubt, and that can make all the difference in a crisis.”
Charlie Maclean-Bristol

The takeaways for organisations

M&S used the incident as a catalyst for change, accelerating its technology transformation and resilience agenda.

The lessons for other UK businesses are clear: stronger control of identity, tighter management of third-party access, greater awareness of social engineering risks – particularly in service desks, segmented systems to limit impact, robust backup and recovery capability, and a business prepared to operate through disruption, supported by regularly tested and exercised response plans.

Go deeper: from insight to action

This blog covers the key lessons. Our full Anatomy of a Crisis report goes deeper, with a detailed timeline and full breakdown of the response and recovery.

Alongside this, we run Cyber Recovery Wargames based on real-world incidents like the M&S attack. These sessions put your leadership team under pressure, helping you rehearse decisions, test assumptions and identify gaps before a real crisis exposes them.

Download the report and explore our Cyber Recovery Wargames programme to start strengthening your resilience.