Marks & Spencer (M&S), known for its high-quality food, clothing and home products, is facing further disruption and ongoing online frustrations in the wake of the recent M&S cyber attack, attributed to the ransomware group known as Scattered Spider. This group is infamous for its sophisticated phishing techniques and previous high-profile attacks, including its 2023 Las Vegas attacks against MGM Resorts and Caesars Entertainment. It is thought that the ransomware DragonForce was used in this latest high-profile attack.
On 22 April 2025, M&S confirmed it had been the subject of a cyber attack after customers experienced difficulties with contactless payments and the Click & Collect service over the Easter weekend. The incident has been reported to the National Cyber Security Centre (NCSC) and relevant data protection authorities. The attack has also led to the temporary suspension of online orders and delays in delivery times, further impacting customer satisfaction and trust.
While cyber attacks on retailers are not uncommon, with the BBC reporting on the 30 April 2025 that the Co-op had shut down its IT systems as a preventative step against hackers attempting to gain access, the M&S incident stands out due to its scale and the nature of the disruptions caused. Similar attacks have affected other major retailers, such as Morrisons and Currys, and more recently Harrods, but the M&S attack has led to significant operational and financial consequences. M&S is estimated to be losing over £3 million a day due to the suspension of online orders and its share value dropped by around 7%, in the days following the incident, wiping between £500m-£700m off its valuation. The financial impact of the attack will no doubt be compounded by the reputational damage and the logistical challenges of managing the fallout from the attack.
While M&S works to restore its services, other organisations can learn valuable lessons from this event and our Head of Commercial Law, Carla Murray, looks at essential steps organisations should take and the legal implications in the event that the hackers get in!
a) When a cyber attack occurs, promptly activating continuity and disaster recovery plans can help to minimise downtime and restore operations swiftly. Your task force needs to quickly assess the impact of the incident to prioritise response efforts and contain the attack by isolating affected systems and deploying measures to prevent further damage.
b) It’s crucial to notify stakeholders and consider what notification may need to be made to employees, customers, and partners, about the attack and the actions being taken. Engaging legal advisors can also ensure compliance with relevant laws and regulations, whilst coordinating with cybersecurity experts can aid the investigation and help to mitigate the consequences of attack.
c) Having a detailed documentation of the incident and initial responses will assist with any notifications that need to be made to Information Commissioner’s Office (ICO)(the regulatory authority responsible for Data Protection in the UK).
a) Notifications: Under the UK GDPR, organisations are obligated to protect both employee and customer data. In the event of a data breach, a organisation may be required to notify the ICO and the data subjects whose data may have been compromised or accessed. Notifications should include detailed information about the nature of the breach, the data involved, and the steps being taken to mitigate the impact.
b) Who should be notified? Individuals must be notified of the breach where the breach poses a high risk to the individual’s rights and freedoms. The threshold to notify the ICO of the breach is lower than this, and an organisation must notify the ICO where there is a likelihood of risk to an individual’s rights and freedoms.
c) Time Scales: Organisations only have 72 hours from becoming aware of the breach to notify the ICO. Failure to do so can lead to severe penalties, including fines up to £17.5 million or 4% of annual global turnover, whichever is the higher amount.
The circumstances surrounding the breach, nature of the breach and consequences all have a bearing on what action both the organisation and other regulatory bodies may take. For example, a prolonged outage or unknown extent of data accessed can trigger more in-depth investigations by regulatory bodies and may require reporting to NCSA (the UK’s technical authority for cyber threats and information assurance). These investigations could examine an organisation's cybersecurity practices, incident response protocols, and compliance with data protection laws. Any deficiencies identified could lead to enforcement action being taken by the ICO, including fines and mandatory corrective measures.
Clear and timely communication with employees during a cyber incident is crucial. Organisations should establish protocols to keep employees informed about the situation, the steps being taken to resolve it, and any changes to their work arrangements, as cyber attacks often cause operational disruptions. Such disruptions can affect employee work schedules and responsibilities. Organisations must therefore ensure that their employment contracts address such scenarios, including payment for lost working hours and procedures for handling temporary closures.
A cyber attack may impact a organisation's contractual obligations with its suppliers, partners, and service providers. The organisation may face delays in fulfilling orders, processing payments, and other operational disruptions, which could lead to breaches of contract and subsequent legal disputes. Organisations should review their contracts to understand their liabilities, rights and obligations and seek legal advice to navigate these challenges. This includes identifying any clauses related to liability, data breaches, and incident response. Organisations should notify their software providers and cybersecurity firms, as stipulated in their contracts, to ensure they receive the necessary support and potentially seek compensation for losses incurred. Reviewing these contracts helps the organisation manage the legal and financial implications of the attack.
Customers affected by the disruption may seek compensation for any financial losses or inconvenience experienced. This could lead to a surge in legal claims against your organisation. If faced with such a claim, you should consult legal advisors for guidance. Maintaining clear and consistent communication with your customer base throughout an incident and following any investigation can help to maintain customer trust and demonstrates proactive efforts to address the issue.
To mitigate the risk of future cyber attacks, organisations should consider the following measures:
Aside from the financial and reputational damage of the M&S cyber attack, the ongoing disruption the attack on M&S has caused the company, highlights several critical issues in cybersecurity and continuity and serves as a stark reminder of the vulnerabilities organisations face in the digital age.
At Slater Heelis, we provide comprehensive support across all areas of law, including cybercrime, data protection and breach response and the preventative measures your organisation can implement. If you would like to discuss your requirements further with one of our specialist solicitors, then please fill out our online contact form or call 03300 297 347 for more information.
)Access all our articles and search the provider directory for free.