Michelmores Michelmores
Michelmores Michelmores
Published May 15th 2025
Home > News & Insights > Article

A Wake-Up Call: Lessons from the M&S, Harrods and Co-op cyber attacks

Authors
Anne Todd
Anne Todd
Tobe Obi
Tobe Obi

The recent cyber-attacks on Marks & Spencer, Harrods and the Co-operative Group are a sharp reminder of the far-reaching nature of cyber threats faced by all businesses.

The attacks appear to involve sophisticated social engineering including phishing and impersonation, together with ransomware deployed inside the victims’ networks resulting in major disruptions, including the suspension of online orders, job applications and the disconnection of some in-store and supply systems impacting stock deliveries.

The retailers acted swiftly, prioritising business recovery, taking steps to inform and reassure customers and co-operating with the National Cyber Security Centre and the Information Commissioner’s Office (ICO), however, there will be significant business, legal and regulatory consequences for the businesses. The full impact of the attacks is yet to be understood. It is becoming clearer that the implications extend beyond the severe interruptions to the business.  As at the time of writing, Marks & Spencer has announced that customers’ personal data has been taken by the attackers.

In this note we consider some of the key lessons from these attacks and we suggest some steps to prepare for and mitigate against similar attacks.

The human element: social engineering

While the technical components of a supply chain are often targeted by sophisticated hacking methods, the recent attacks highlight the growing threat of social engineering. Social engineering exploits human behaviour, manipulating people into granting access or bypassing safeguards. In the recent retail cases, the attackers reportedly impersonated IT support to convince helpdesks into resetting administrator credentials. No malware was used, just a convincing story and an unprepared target.

Culture and awareness are paramount in defending such tactics. Staff must be encouraged and trained to question unusual requests, particularly those allegedly coming from senior colleagues, IT and HR staff.

Measures which can be taken include:

  • Create data protection and information security policies. These should be kept under review and updated annually, or more frequently in response to changing threats. Ensure all staff and contractors are made aware of these policies and that they form part of staff handbooks.
  • Ensure regular staff training in data protection and information security (at least annually and on joining for new employees). Gamified security awareness training tools, deployed across all the workforce to focus on phishing simulations and real-world scenario training can also create greater awareness.
  • Create social media policies and training to prevent unofficial company groups and posts with information about staff and the business that could aid social engineering.
  • Maintain audit records of staff training to assist in demonstrating to regulators that regulatory obligations have been complied with and in the defence of civil claims.
  • Implement additional verification. Multi-factor authentication is not infallible so high-risk actions like access resets should use trusted secondary verification channels.

Supply chain assurance

Increased reliance on digital supply chains and outsourcing of IT operations introduces additional risk; each different supplier or component creates a potential entry point for attackers which can have widespread consequences. Organisations should map their digital ecosystems thoroughly, gaining visibility into who has access to what, and under what controls.

From a contractual perspective consider the following key actions:

  • Review procurement templates to ensure suppliers must comply with UK GDPR, including breach notification obligations, audit rights, and appropriate technical and organisational security measures and standards.
  • Consider developing a standard supplier information security policy to which all suppliers should be required to adhere including certifications such as Cyber Essentials or international business standards (ISO), obtain annual confirmation that standards are maintained.
  • Require suppliers to develop and keep updated business continuity plans and maintain data backups to enable effective data restoration.
  • Ensure that supplier security audits are taking place and that failings are followed up.
  • Assess minimum values for suppliers’ cyber insurance cover and establish a process to verify that cover is in place.

Business continuity and incident response plan

Breach mitigation begins long before an incident occurs; planning and preparation is key:

  • Ensure you have a business continuity plan which covers all key systems and data, including systems and data operated or managed by third parties. Keep this under regular review.
  • Create and keep updated the incident response plan. Identify key internal contacts, contact details and backup delegates, as well as external contacts including insurers, cyber breach experts, external lawyers and PR specialists.
  • Define roles and responsibilities, identify responsibilities for liaising with the insurers and external lawyers, internal communications, notifications to the ICO and other regulators, as well as other impacted parties, customers and media communications.
  • Establish internal communication procedures and establish protocols to avoid alerting attackers during early response; you may need to use an alternative secure e-mail system for example.
  • Arrange contracts with cyber breach response providers to enable rapid mobilisation, including the use of specialists to establish whether the personal data has been stolen and made available to criminals, for example via the “darkweb”.
  • Regularly reviewing the plan to reflect changes in personnel and emerging risks, arrange desk-top exercises to rehearse and be prepared to mobilise quickly.

Legal and regulatory consequences

While the full legal ramifications of the recent attacks will take time to unfold, we can speculate that retailers will suffer significant legal and regulatory consequences, claims and losses. Insurance may go some way towards this, but it is very unlikely that a full recovery can be made, and the retailers will be facing substantial legal costs and losses in addition to the loss of profits due to the impact on trading.

These consequences may include:

  • loss of the organisation’s own data and IP assets and claims from customers and suppliers for breach of their IP and confidential information;
  • customer claims for compensation for breach of their statutory consumer rights, breach contract or negligence;
  • customers and employee claims for compensation in respect of personal data breach;
  • supplier claims for breach of contract or negligence;
  • Information Commissioner fines if there has been a failure to comply with requirements under UK GDPR requirements to implement adequate security measures and to act swiftly and transparently in preventing and responding to breaches;
  • enforcement action and fines from the Competition and Markets Authority under the Digital Markets, Competition and Consumers Act 2024 if the retailers ignored best cyber security practice or misled consumers and potentially also claims from suppliers for breach of contract; and
  • claims for breach of directors’ duties.

To mitigate, organisations will need to be able to provide evidence of their compliance with statutory obligations and good information security governance.

Legal and regulatory compliance teams should be embedded in cyber security planning and the legal team should manage notifications to insurers, the ICO, other regulators, data subjects and others impacted by the breach.  Organisations and businesses that are active in regulated sectors such as banking or financial services may have additional compliance and notification obligations. Providers of essential services and digital services have additional obligations under the UK’s Security of Network & Information Systems Regulations (NIS Regulations) which set out legal measures to boost the level of security (both cyber & physical resilience) of network and information systems.  The regulations are due to be updated to bring them in line with the EU’s NIS2 Directive (Directive (EU) 2022/2555).

Along with the Data Protection Officer and the IT and information security team legal advisors can evaluate current risks and mitigations and review policies and procedures and supply chain contracts to ensure they are fit for purpose.

Michelmores’ Cyber Security and Data Protection & Privacy teams are experienced in supporting organisations seeking to protect themselves against the risk of cyber attacks. We can help develop response plans, deliver table-top training exercises and guide our clients through incidents efficiently whilst addressing the complex legal and regulatory considerations.

Authors
Anne Todd
Anne Todd
Tobe Obi
Tobe Obi