The Cybersecurity saga engulfing British retail giant Marks & Spencer (M&S) took another dramatic turn this week, as its main website went dark during the night, sparking concern across the business and security community. The site was offline for several hours before resuming limited functionality shortly after 7:00am.
M&S attributed the outage to “overnight updates”โa phrase that has done little to quell growing unease among customers and industry watchers. The downtime comes as the company grapples with the fallout from a major ransomware attack last month, which continues to cripple online operations. E-commerce capabilities have remained offline since 22 April, with full-service restoration not expected for weeks.
Behind the technical disruption lies a far more troubling truth: Marks & Spencer has for years failed to implement basic cybersecurity controls, leaving it exposed to precisely the kind of attack it suffered. Industry sources and analysts confirm that a range of internet-facing assets remained unpatched and unmonitored, creating clear pathways for exploitation.
These failures are not just technical oversightsโthey are violations of critical legal and regulatory frameworks. M&S is now believed to be in breach of multiple standards including the UK Data Protection Act, GDPR, PCI-DSS, and the Digital Operational Resilience Act (DORA). Each of these mandates exists to protect consumers and ensure organisations maintain a minimum standard of digital hygiene.
As public trust erodes and regulatory pressure mounts, cybersecurity experts are urging M&S to prioritise remediation efforts and overhaul its current security posture. Without urgent action, the retailer risks prolonged operational paralysis, customer data exposure, and heightened legal scrutiny.
This developing crisis serves as a cautionary tale for other UK businesses: Cybersecurity negligence is no longer an internal IT problemโitโs a boardroom and brand survival issue.
