A chain reaction: inside the cyberattack that brought M&S to its knees

The recent ransomware attack on the retailer, Marks and Spencer (M&S) is a stark reminder of just how exposed modern businesses are to cyber threats, not only within their own walls, but also through the very partners and suppliers they rely on for their daily operations.

While M&S was not breached directly, the vulnerability of a third-party supplier provided an unintended entry-point that ultimately impeded operations, disrupted logistics and wiped hundreds of millions off its market value, further underscoring the shared responsibility of ensuring security across modern digital ecosystems in a business.

The cyberattack wasn’t just a simple smash-and-grab, rather it was a calculated, multi-stage operation by notorious cybercrime group, Scattered Spider. It worked because the group created a perfect storm consisting of sophisticated phishing tactics, deft social engineering and a leveraged a simple supply chain link that wasn’t toughened up to today’s resilience standards.

The brunt of it is that it is no longer enough to protect a single business’s cyber walls. In a hyperconnected ecosystem, the weakest supplier is the most vulnerable point and threat actors know it.

How the attack worked

Details emerging from the M&S breach suggest that the threat actors used phishing tactics to gain their initial foothold into a supplier’s systems. While this is not confirmed in this particular case, it does fall in line with FBI reports that email is the primary starting-point for 90% of phishing incidents. Through impersonation and manipulation, the attackers convinced IT personnel at the supplier to reset authentication credentials, essentially handing over the keys to the digital kingdom.

This method of exploitation wasn’t purely technical, rather deeply human. More commonly known as social engineering amongst cyber professionals, this tactic relies on psychological manipulation, exploiting trust, urgency or confusion to trick targets into compromising their own business’s security. While the supplier’s IT staff, henceforth dubbed ‘innocent insiders’, did not intend to harm, unfortunately and unintentionally they gave the attackers the access they needed, all in a moment of misjudgment.

Once the foothold was established, the attackers were able to deploy the ransomware and subsequently disrupt food logistics, shutter operations, and inflict an expected £300 million hit to operating profits. This led to over £750 million being erased from M&S’s market capitalization in the fallout. While the scale of this incident is exceptional, it reflects a broader trend in the sector. In fact, according to Trustwave’s recent research on the retail cyber threat landscape, the average cost of a breach in the industry is approximately £2.6 million, underscoring just how financially damaging these incidents can be, even at baseline.

Despite this, it should be recognized that M&S’s swift decision to take its website, mobile app, contactless payment systems, and Click & Collect services offline demonstrates a responsible containment strategy. While this caused disruption to consumers, it aligns with best-practice incident response protocols aimed at halting further spread and preserving customer trust.

The rise of third-party risk

This incident is not unique to M&S. What makes it particularly instructive is how clearly it illustrates the growing threat posed by third party risk.

It is no secret that most organizations today operate within sprawling digital ecosystems, relying on dozens, sometimes even hundreds, of external vendors for everything from cloud hosting and IT services to logistics and customer support. While this interdependence drives forward efficiency and innovation, it also significantly expands the attack surface, within which cybercriminals can operate successfully.

Despite growing awareness, supplier security is still too often treated as a secondary concern, either addressed during onboarding or relegated to contractual obligations. But in today’s threat landscape, it’s essential that supplier networks be held to the same standards of resilience as internal operations. This means adopting continuous oversight, setting clear access controls, and treating cyber assurance as an ongoing process rather than a one-off audit.

Lessons from the breach

Another thing that was laid bare as a result of this cyberattack, and something businesses need to be keenly aware of, is that even the most well intentioned employee can be manipulated. To defend against this threat, cybersecurity training, especially on common phishing tactics and social engineering methods in any given industry, is non-negotiable. To supplement this effort, simulations and scenario-based drills can be used as these help employees better recognize red flags in the system and how to respond appropriately.

A simple, yet effective method to prevent unauthorized access is to implement multifactor authentication (MFA) across all systems. According to Microsoft, 99% of the compromised Microsoft accounts in the M&S breach did not have MFA enabled. In addition to this, the principle of least privilege must be followed to ensure that employees and third parties alike only have the access that is absolutely required. This ensures that even if a threat actor gains access to an organization’s systems, they are unable to move laterally within the network.

In fact, to truly limit the spread of threats once the hacker has already gained access, businesses must embrace network segmentation. This is a cybersecurity practice that divides a network into smaller, isolated sections, each with its own access controls and security protocols. One can think of this as compartmentalizing a building where, instead of giving every employee a master key to every room, the access is restricted so people can only enter those areas that are necessary for their jobs.

Beyond internal defenses, organizations must also work collaboratively with their suppliers to enhance overall security of their vendor network. This requires knowing exactly what data a vendor has access to, understanding how they manage security and integrating them within the core business’s awareness and response plans. Additionally, threat intelligence sharing, joint training exercises and clear incident response plans can transform supplier networks from a liability into an organization’s first line of defense.

The final line of defense, especially in a ransomware scenario is having a robust backup and recovery strategy in place. Threat actors employing ransomware tactics often target backup systems to prevent quick recovery. With this in mind, backups need to be stored offline or in immutable environments, which cannot be changed or encrypted by attackers. To ensure that restoration works in practice and not just in theory, regular testing of the backups is another key step in bolstering an organization’s cyber defense posture.

The bottom line

Ultimately, the M&S incident is a real-world case study of the operational fragility that can arise when cybersecurity isn’t fully embedded across the supply chain. It also provides a powerful lesson for the organizations across various sectors that resilience must extend beyond internal networks and into the broader digital ecosystem. In a world where every transaction, delivery, and customer interaction relies on technology, effective defense demands both strategic investment and human vigilance, both within the business and across its partners.

Train up with the best online cybersecurity courses.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro