Written By: Anssi Laakkonen Data Protection Specialist at Privaon

Marks & Spencer suffered a ransomware attack leading to personal data theft of customers. We discuss proactive measures to battle against data breaches.

On April 19, 2025, Marks & Spencer (M&S), one of the UK’s leading retailers, discovered a significant cyber-attack that resulted in severe disruptions to its online ordering systems and reduced availability of food items in stores. The incident has drawn considerable attention not only for its immediate impact on M&S’s operations but also for the potential regulatory implications regarding data protection laws. The attack led to the theft of customers’ personal data, which may include information such as names, home addresses, phone numbers, email addresses, and dates of birth. However, M&S has stated that the breach did not include payment information or card details. In light of the breach, M&S has made efforts to communicate with affected customers, advising them to reset their passwords for accounts associated with the retailer.

The cyber-attack has been characterised as a ransomware incident. Reports indicate that hackers employed social engineering tactics to gain access to M&S’s systems, successfully deceiving employees into divulging sensitive login credentials. It appears that the attack was facilitated through third-party service providers that had access to M&S’s IT infrastructure.

The Information Commissioner’s Office (ICO), the regulatory body responsible for enforcing data protection laws in the UK, will likely conduct a thorough investigation into the incident. Under the guidelines of the UK General Data Protection Regulation (UK GDPR), M&S is legally required to report the breach within 72 hours of becoming aware of it, as the number of affected customers and the sensitivity of the compromised data means that the breach is likely to pose a risk to the affected customers’ rights and freedoms. Depending on the results of the investigation, M&S may face scrutiny and potential penalties if it is determined that the company failed to implement adequate safeguards to protect customer data.

The incident at M&S serves as a stark reminder of the necessity for all organisations, particularly retailers, to adopt robust data protection practices and controls to safeguard personal data. A critical aspect of this responsibility is the principle of data protection by design and default, as mandated by the UK GDPR. This principle obligates organisations to embed data protection measures into their systems and processes from the outset rather than treating it as an afterthought. Below are detailed actions that organisations could implement to mitigate risks and enhance data security.

1. Stronger Authentication Mechanisms: Organisations must prioritise implementing strong, multi-factor authentication (MFA) across their systems. MFA requires users to provide multiple forms of verification before they are granted access, substantially decreasing the likelihood of unauthorised access. For organisations, this could involve requiring employees to use one-time codes sent to their mobile devices or biometric identification, such as fingerprint scans, during the login process. By enhancing security in this manner, organisations can significantly reduce the risk of falling victim to social engineering attacks.
2. Regular Training and Awareness Programs: Employee training is essential in fostering a culture of cybersecurity awareness within an organisation. Regular training sessions focused on identifying phishing attempts and social engineering tactics enable employees to recognise potential threats before they materialise. Organisations can establish ongoing training programs that include simulated phishing exercises to test employees’ responses. By empowering staff with the knowledge to identify suspicious activities, organisations can significantly mitigate the risk of unauthorised access to their systems.
3. Third-Party Risk Management: Organisations increasingly rely on third-party service providers for various services, making it vital to ensure that these partners adhere to stringent cybersecurity protocols. Organisations should implement a comprehensive third-party risk management strategy that includes thorough due diligence before onboarding any vendor, continuous monitoring of third-party security practices, and contractual requirements for data protection compliance. By managing the risks associated with third-party vendors effectively, organisations can reduce their vulnerabilities to potential attacks.
4. Data Minimisation Practices: Data minimisation is a fundamental data protection principle that stipulates organisations should only collect and process personal data that is necessary for their specific purposes. Conducting regular reviews of data retention practices can help organisations identify obsolete or excessive information stored about customers. By reducing the volume of personal data held, the impact of a potential breach would be significantly less severe, as there would be less sensitive information available for potential theft.
5. Robust Incident Response Plans: An effective incident response plan is crucial for managing data breaches and minimising their impact. Organisations should develop and regularly test an incident response plan that outlines clear procedures for detecting, responding to, and recovering from data breaches. This includes establishing points of contact within the organisation, communication strategies for informing affected customers, and plans to collaborate with authorities during an investigation. A well-prepared response could alleviate some of the fallout from a breach and reinforce public trust in the organisation.
6. Investing in Advanced Security Technologies: Organisations should leverage advanced security technologies, such as intrusion detection systems, firewalls, and endpoint protection software, to bolster their defenses against cyber threats. Investing in advanced monitoring tools enhances organisations’ ability to identify potential breaches more quickly and respond to them with appropriate measures. Additionally, employing AI-driven solutions to predict and mitigate threats can further strengthen cybersecurity posture.

Conclusion

The cyber-attack on M&S underscores the critical need for organisations to prioritise data protection through proactive measures and robust security practices. The principle of data protection by design and by default is not just a best practice but a regulatory obligation under the UK GDPR. By adopting this principle and embedding it into their organisational culture and operational processes, organisations can establish a resilient framework capable of safeguarding personal information and maintaining customer trust. In light of this incident, organisations must recognise the urgency of investing in cybersecurity infrastructure, comprehensive staff training, and stringent compliance with data protection regulations to avoid similar breaches in the future. Building a culture of data protection awareness and consistently reviewing and updating security measures will be essential in navigating the ever-evolving landscape of cyber threats.

We support companies worldwide—including those in the UK—in safeguarding their data and ensuring compliance. Don’t wait for a breach to expose vulnerabilities. Get in touch today and let us help you build a robust data protection strategy!