Marks & Spencer (M&S), known for its high-quality food, clothing and home products, is facing further disruption and ongoing online frustrations in the wake of the recent M&S cyber attack, attributed to the ransomware group known as Scattered Spider. This group is infamous for its sophisticated phishing techniques and previous high-profile attacks, including its 2023 Las Vegas attacks against MGM Resorts and Caesars Entertainment. It is thought that the ransomware DragonForce was used in this latest high-profile attack.
On 22 April 2025, M&S confirmed it had been the subject of a cyber attack after customers experienced difficulties with contactless payments and the Click & Collect service over the Easter weekend. The incident has been reported to the National Cyber Security Centre (NCSC) and relevant data protection authorities. The attack has also led to the temporary suspension of online orders and delays in delivery times, further impacting customer satisfaction and trust.
Comparison to Other Attacks
While cyber attacks on retailers are not uncommon, with the BBC reporting on the 30 April 2025 that the Co-op had shut down its IT systems as a preventative step against hackers attempting to gain access, the M&S incident stands out due to its scale and the nature of the disruptions caused. Similar attacks have affected other major retailers, such as Morrisons and Currys, and more recently Harrods, but the M&S attack has led to significant operational and financial consequences. M&S is estimated to be losing over £3 million a day due to the suspension of online orders and its share value dropped by around 7%, in the days following the incident, wiping between £500m-£700m off its valuation. The financial impact of the attack will no doubt be compounded by the reputational damage and the logistical challenges of managing the fallout from the attack.
While M&S works to restore its services, other businesses can learn valuable lessons from this event and our Head of Commercial Law, Carla Murray, looks at essential steps businesses should take and the legal implications in the event that the hackers get in!
1) Activate Business Continuity and Disaster Recovery Plan:
a) When a cyber attack occurs, promptly activating a business continuity and disaster recovery plans can help to minimise downtime and restore operations swiftly. Your task force needs to quickly assess the impact of the incident to prioritise response efforts and contain the attack by isolating affected systems and deploying measures to prevent further damage.
b) It’s crucial to notify stakeholders and consider what notification may need to be made to employees, customers, and partners, about the attack and the actions being taken. Engaging legal advisors can also ensure compliance with relevant laws and regulations, whilst coordinating with cybersecurity experts can aid the investigation and help to mitigate the consequences of attack.
c) Having a detailed documentation of the incident and initial responses will assist with any notifications that need to be made to Information Commissioner’s Office (ICO)(the regulatory authority responsible for Data Protection in the UK).
2) Make the necessary Data Breach Notifications:
a) Notifications: Under the UK GDPR, businesses are obligated to protect both employee and customer data. In the event of a data breach, a business may be required to notify the ICO and the data subjects whose data may have been compromised or accessed. Notifications should include detailed information about the nature of the breach, the data involved, and the steps being taken to mitigate the impact.
b) Who should be notified? Individuals must be notified of the breach where the breach poses a high risk to the individual’s rights and freedoms. The threshold to notify the ICO of the breach is lower than this and a business must notify the ICO where there is a likelihood of risk to individual’s rights and freedoms.
c) Time Scales: Businesses only have 72 hours from becoming aware of the breach to notify the ICO. Failure to do so can lead to severe penalties, including fines up to £17.5 million or 4% of annual global turnover, whichever is the higher amount.
3) Regulatory Investigations:
The circumstances surrounding the breach, nature of the breach and consequences all have a bearing on what action both the business and other regulatory bodies may take. For example, a prolonged outage or unknown extent of data accessed can trigger more in-depth investigations by regulatory bodies and may require reporting to NCSA (the UK’s technical authority for cyber threats and information assurance). These investigations could examine a business’s cybersecurity practices, incident response protocols, and compliance with data protection laws. Any deficiencies identified could lead to enforcement action being taken by the ICO, including fines and mandatory corrective measures.
4) Employee Communications and Workplace Disruption:
Clear and timely communication with employees during a cyber incident is crucial. Businesses should establish protocols to keep employees informed about the situation, the steps being taken to resolve it, and any changes to their work arrangements, as cyber attacks often cause operational disruptions. Such disruptions can affect employee work schedules and responsibilities. Businesses must therefore ensure that their employment contracts address such scenarios, including payment for lost working hours and procedures for handling temporary closures.
5) Commercial Exposure Risk Assessments:
A cyber attack may impact a business’s contractual obligations with its suppliers, partners, and service providers. The business may face delays in fulfilling orders, processing payments, and other operational disruptions, which could lead to breaches of contract and subsequent legal disputes. Businesses should review their contracts to understand their liabilities, rights and obligations and seek legal advice to navigate these challenges. This includes identifying any clauses related to liability, data breaches, and incident response. Businesses should notify their software providers and cybersecurity firms, as stipulated in their contracts, to ensure they receive the necessary support and potentially seek compensation for losses incurred. Reviewing these contracts helps the business manage the legal and financial implications of the attack.
6) Customer Communications and Compensation:
Customers affected by the disruption may seek compensation for any financial losses or inconvenience experienced. This could lead to a surge in legal claims against your business. If faced with such a claim, you should consult legal advisors for guidance. Maintaining clear and consistent communication with your customer base throughout an incident and following any investigation can help to maintain customer trust and demonstrates proactive efforts to address the issue.
7) Preventative Measures
To mitigate the risk of future cyber attacks, businesses should consider the following measures:
- Reviewing Employment Contracts: Ensure that employment contracts include provisions related to data protection, cybersecurity responsibilities, and procedures to follow in the event of a cyber incident.
- Implement Strong Cybersecurity Policies: Develop and enforce comprehensive cybersecurity policies that cover data protection, incident response, and employee training. Regularly update these policies to address emerging threats and ensure compliance with legal standards.
- Enhance Communication Protocols: Establish clear communication protocols for informing employees and customers about cyber incidents. This includes timely notifications, detailed explanations of the situation, and guidance on how to protect themselves from potential threats.
- Strengthen Commercial Agreements: Review and update commercial agreements with software providers and cybersecurity firms to include robust liability clauses and SLAs. This ensures that the business can seek compensation and receive adequate support during a cyber incident.
- Develop Business Continuity Plans: Create and regularly test business continuity and disaster recovery plans to ensure that the business can quickly resume operations after a cyber attack.
How We Can Help
Aside from the financial and reputational damage of the M&S cyber attack, the ongoing disruption the attack on M&S has caused the company, highlights several critical issues in cybersecurity and business continuity and serves as a stark reminder of the vulnerabilities businesses face in the digital age.
At Slater Heelis, we provide comprehensive support across all areas of law, including cybercrime, data protection and breach response and the preventative measures your business can implement. If you would like to discuss your requirements further with one of our specialist solicitors, then please fill out our online contact form or call 03300 297 347 for more information.