REPORTAGE: M&S – This is not just any Cyber Attack; this is an M&S Cyber Attack!

Exposing Critical Vulnerabilities in Major Retail and Banking Systems

As Marks and Spencer (M&S) prepares to claim up to £100 million from its cyber insurers following a major data breach, serious questions emerge—not about the sophistication of the attackers, but about the fundamental security failings of two British corporate giants.

Nearly a month after the breach was first disclosed in April 2025, millions of customer records remain exposed while M&S and banking partner HSBC continue to operate digital infrastructure that fails to meet essential security standards.

“What makes this situation particularly concerning is that both M&S and HSBC had been previously alerted to potential vulnerabilities in their systems,” reveals Andy Jenkinson, CEO of CyberSec Innovation Partners. His team had identified specific technical exposures that suggested inadequate protection layers were in place long before the attack occurred.

Basic Security Negligence

This wasn’t a sophisticated, cutting-edge attack. The breach stemmed from foreseeable and preventable vulnerabilities—representing clear violations of UK DPA 2018, GDPR, DORA, and PCI-DSS regulations. Insurers processing this claim should carefully consider whether they should be compensating such systemic security negligence.

“In 2025, implementing basic cybersecurity hygiene should be standard practice across all major enterprises,” notes Jenkinson, whose firm specializes in detecting and mitigating exactly these types of security vulnerabilities. “Yet here, we’re witnessing conspicuous gaps in fundamental protection mechanisms that should have been addressed years ago.”

Response Timeline Raises Questions

Industry observers have noted the unusually extended timeline for remediation in this case. Standard protocol for critical vulnerabilities typically involves immediate patching and security reinforcement, especially for systems handling sensitive customer data and financial information.

Perhaps most concerning is that these organisations—a FTSE 100 retailer and global banking institution entrusted with vast amounts of sensitive personal and financial data—have yet to address critical security vulnerabilities even after the breach was discovered. This inaction persists despite both companies receiving extensive threat intelligence and support from the National Cyber Security Centre (NCSC) and CrowdStrike “specialists” (sic)

The prolonged exposure period raises serious questions about incident response capabilities at both organizations and potentially signals deeper issues with their security governance structures.

Banking Sector Implications

The incident has raised fresh alarm bells throughout the financial sector regarding the critical importance of rigorous vetting for third-party partners, marketing platforms, and internal security protocols. Financial institutions are now scrambling to assess their own potential exposure through similar partnership arrangements.

Each day these security gaps remain unaddressed; M&S and HSBC not only place larger targets on their own backs but also jeopardise the personal data of millions of loyal customers.

Financial Impact: A Potentially Existential Threat

The cyberattack on Marks & Spencer (M&S) has had a profound financial impact. Since April 25, 2025, the company’s online ordering system has been non-operational, leading to estimated daily losses of £4 million in online sales. As of mid-May, cumulative sales losses are estimated to exceed £60 million.

Investor confidence has been significantly affected, with M&S’s share price declining by approximately 15% to 18%, resulting in a market capitalization loss estimated between £1 billion and £1.3 billion according to Moneyweek

M&S has filed for a cyber insurance payout of up to £100 million, with an initial £10 million claim already submitted. The insurance is expected to cover various losses, including direct damages and third-party liabilities.

The Financial Abyss if Insurance Claims Are Denied

Should M&S’s insurance claims be denied, the company could face a financial scenario that threatens its stability.

•  The lost sales to date of over £60 million represent approximately 0.5% of M&S’s annual revenue of £13.1 billion for the fiscal year ending March 2024.

•  The market capitalization loss of £1–1.3 billion equates to about 25–30% of the company’s total market value prior to the breach.

•  Recovery and compliance costs are estimated between £10 million and £50 million, which could consume roughly 5–25% of the company’s typical annual IT and security budget.

•  Potential fines under the General Data Protection Regulation (GDPR) could reach up to £200 million, representing up to 4% of annual turnover, and would constitute one of the largest GDPR penalties ever issued in the UK.

•  Additionally, class action litigation could result in costs between £50 million and £150 million, comparable to settlement amounts in recent major UK data breach cases.

If the anticipated £100 million insurance payout is denied, M&S faces a staggering net exposure of £290 million to £460 million (excluding market capitalization losses). This represents approximately 150–240% of the company’s annual net profit of £425 million for FY2024, potentially erasing multiple years of earnings.

The era of accepting polite corporate apologies without meaningful action must end. Accountability is essential. Paying out insurance claims for preventable instances of gross negligence without consequences sends a dangerous message to every boardroom and global insurer about the true cost of security complacency.

Business Model Sustainability Assessment

With M&S already facing challenging market conditions prior to this breach, our analysis suggests that the combined financial impact—if insurance claims are denied and regulatory penalties are imposed—could force the company to make drastic strategic changes:

1. Cash Flow Crisis: With online sales representing approximately 30% of M&S’s total retail revenue and growing, the extended outage creates immediate liquidity challenges. The £60 million+ in lost sales already approaches what the company typically generates in quarterly profit across its entire operation.

2. Digital Transformation Derailment: M&S has invested over £500 million in digital transformation initiatives over the past three years; this incident puts these investments at risk and could negate years of digital progress at a time when competitors are accelerating their online capabilities.

3. Market Position Threat: In the highly competitive UK retail market, where profit margins typically range from 3-7%, the financial impact represents such a significant blow that competitors like Next, John Lewis, and fast-growing online specialists could rapidly capture M&S’s market share. Even a 5% permanent customer migration to competitors would represent hundreds of millions in lost lifetime customer value.

4. Closure of Underperforming Stores: To offset losses, M&S might accelerate closure of physical locations beyond the 110 stores already slated for closure under its current transformation plan, further reducing its high street presence and potentially triggering additional restructuring costs of £100-150 million.

5. Potential for Restructuring: In a worst-case scenario, M&S could be forced into significant restructuring. With a current debt-to-equity ratio of approximately 0.8 and this additional financial burden potentially increasing it to over 1.2, the company could face credit rating downgrades, higher borrowing costs, and pressure to divest portions of its business that have traditionally been core to its identity.

Regulatory Implications

As this situation continues to unfold, regulatory bodies are paying close attention. The Information Commissioner’s Office (ICO) has not yet made public statements regarding the incident, but cybersecurity experts anticipate potential investigations into compliance with data protection regulations.

Moving Forward

For SMEs observing this situation, the lesson is clear: Cybersecurity cannot be an afterthought, regardless of company size. The interconnected nature of modern business systems means vulnerabilities can quickly escalate from one organization to another, affecting partners and customers alike.

As Jenkinson and his team at CyberSec Innovation Partners continue monitoring the situation, they stress the importance of proactive security measures rather than reactive responses. “Organizations must implement continuous security monitoring and regular third-party security assessments to prevent finding themselves in similar situations,” Jenkinson advises.

SME Cyber Insights will continue to monitor developments in this ongoing situation. For expert cybersecurity guidance for your business, visit smecyberinsights.co.uk.

Andy Jenkinson is the CEO of CyberSec Innovation Partners, a leading cybersecurity firm specializing in identifying and remediating critical vulnerabilities in enterprise systems. Learn more at cybersecip.com.