+44 20 3457 6405
info@polpeo.com
Polpeo
BOOK YOUR FREE DEMO

M&S Cyber Attack transcript

Introduction

This is “What Just Happened?,” the podcast that looks at the biggest brand crises of our time, what they meant for organisational strategy and behaviour, and their lasting impact on our approach to crisis communication.

I’m Kate Hartley. And I’m Tamara Littleton. And together, we’ll delve into what happened, why it mattered, and whether it could happen again.

Episode

Tamara Littleton: Welcome to the latest episode of What Just Happened. Kate, what are we talking about today?

Kate Hartley: So today we’re talking about an event that, apart from anything else, led to quite a few people getting in touch with us to ask about preparing for something like this. So today we’re talking about the M&S cyber attack of 2025.

TL: And can you recap on what happened?

KH: Yeah, so it was over Easter bank holiday in 2025, so that was the 19th and 20th of April. M&S fell victim to what the CEO, Stuart Machin, said was a highly sophisticated and targeted attack. And what that meant was the customers couldn’t use their contactless payments or gift cards or their loyalty cards in store.

TL: And this was a busy time of year. So Easter bank holiday, beginning of the summer period. What did M and S do initially, and did they know how serious it was at this stage?

KH: So I don’t think they did know how serious it was initially. So in his first statement, which was on the 22nd of April, so they’d discovered the attack on the 19th, the first statement was on the 22nd. Machin said that M&S had called in cyber experts, obviously that’s the right thing to do. They’d taken down some of their systems and processes to protect customers, and at that stage, they were still saying that customer data was safe.

TL: So let’s talk through how it developed from there. The next day, M&S started taking some of its processes offline and said it wasn’t taking contactless payments and had paused its click and collect orders. But they were still taking online sales via the app and the website.

KH: They were, and I think that’s fairly typical in an attack like this. So there’s this idea of a minimum viable company, or MVC, which basically is what systems do you absolutely need to keep going in order to continue to function. So that might be things like essential production systems, payroll.

In the case of M&S, they decided that was the sales channel, so the app and the website. So the things that really matter and that you can’t do without, and then you close down everything else to protect the business.

TL: But it became clear pretty quickly that this was serious, and it then shut down online sales for a significant period of time.

KH: It was a really long time. So those online sales didn’t restart until the 10th of June, and even then, that was only for fashion and home delivery. So click and collect didn’t restart until August.

So that is a massive decision for a retailer to stop retailing, basically. So to put it in context, M&S takes around 3.8 million a day on clothing and home products from the website and from the app.

TL: So when did we find out that customer data had been taken?

KH: In May, so M&S confirmed that customer data had been stolen, including contact details. Which means things like name, home address, email, phone number, dates of birth and potentially order histories as well.

TL: So that is potentially enough to cause ID fraud, although no card details were stolen, I believe?

KH: Yeah, that’s correct. So on the 13th of May, an email went out to customers telling them all of that and advising them to change their passwords. Which kind of went against what they originally said at the beginning.

TL: And that is quite a long time after the initial hack. It is, isn’t it?

KH: And it’s even more so when you factor in something that was reported in Bleeping Computer, which is a publication that reports all these kinds of things. Who said that the hackers could have been inside M&S systems from February, so a really long time before it was even discovered.

TL: Yeah, do we know where the hack started from?

KH: Yeah, it started in their supply chain. I think this is really interesting, because we get a lot of questions about this, don’t we. In hacks, you tend to think, you know, how do you protect your own organisation? But actually, this was in the supply chain.

And it was a social engineering attack, which is again very typical. So that means that hackers steal security or login credentials of somebody, in this case tech support staff, by persuading them to hand over those credentials rather than doing it by brute force.

TL: We’re seeing so much of this, aren’t we. We really are. Yeah. And what did it cost M&S?

KH: Well, the Bank of America estimated that M&S was losing around 40 million pounds a week in sales, and its share price dropped as well. So it dropped 14.9%, which to be really honest, I mean, it’s not great obviously, but I don’t think it’s massively awful considering what it could have been.

And the share price did recover a bit in June when it started online shopping again, but it was still down 13% by August. Which is, you know, significant, but it could have been worse, I would say.

TL: The big question is, who was behind it?

KH: So about a week after that initial hack, it emerged the hacking group was a hacking collective called Scattered Spider. Which literally might, that’s just the worst possible name you can say to you and me, isn’t it. Terrified of spiders to start with, let alone scattering spiders.

Yeah, yeah, and they were using a ransomware on demand service, which again is something that kind of slightly exploded my brain. So that came from another group called DragonForce. So what that means is that any hacking group can basically rent DragonForce’s ransomware as long as they give DragonForce a cut of it. It’s kind of like an affiliate model. It’s amazing.

TL: I mean, I agree. It just blows my mind how organised this all is and the scale of the operation. Sometimes I start wondering, do they have like company values and employee of the month and that kind of thing.

KH: I think they probably do. Some of them have like customer service teams and tech support and all. It’s just amazing how organised all these groups are.

TL: But yeah, so anyway, getting back to the story, can we talk about how the rest of the industry responded? Because there was some support from other retailers, wasn’t there, supporting with supplying products, for example?

KH: Yeah, and I think that’s so interesting. That M&S was obviously running short on products, and fairly obviously shoppers were going elsewhere. But Bookers, which is the wholesaler that Tesco owns, supplied M&S with branded products.

And Tesco CEO, a guy called Ken Murphy, said he was helping out M&S in any way that they could. And they later did the same thing for Co-op when it was also hacked.

TL: I love that. I think that’s pretty amazing. And I know, you know, it was short-term support, but it shows that it is possible for competitors to cooperate. And it really brings some humanity into this.

KH: It really does, doesn’t it. But the slightly cynical side of me says that I think an attack like this is so top of mind for everybody, but particularly for retailers, that nobody actually wants to sit back and take advantage of or gloat over another company that’s falling victim to something like this.

Because I think there probably is a bit of a feeling of that could have been us. And if it ever is, we might need that kind of support too.

TL: Yeah, no, I agree. So let’s talk about the communications challenges. How did M and S do? I remember them being quite proactive on the comms.

KH: They were, and I’m an M&S customer. We probably all are, but I’m an M and S customer, and I got that first email through that I thought was pretty good. It was signed off by the CEO personally.

And I know there are a few people that thought his tone was a bit familiar. He signed off with Stuart rather than his full name, but I know I was okay with that, and I thought it felt personal. It felt like he was taking accountability.

But I think after that initial thing, everything took a bit longer as they were getting to grips with how serious it was. And as we know, customers weren’t told to change passwords until the 13th of May.

TL: So I think it did sort of slow down a little bit after that point, and the CEO, Machin, continued to communicate quite personally, didn’t he? Is that a good or a bad thing?

KH: I think it’s mixed. I think generally, in something this scale, you need your CEO to be out front and centre, don’t you. But I do think there were a couple of things that I didn’t feel desperately comfortable with.

So there was one piece in particular I thought maybe was a bit of a misstep from a customer point of view anyway. On 26th of May, there was a piece in The Mail on Sunday which quoted Machin as saying that the hack was an incident, a setback, a bump in the road. Those are his words.

So he was saying it wasn’t a crisis, basically, and obviously that was trying to appease shareholders. So I get it, but I think that really risks undermining customers’ experiences of having had their personal data stolen.

TL: Yeah, it’s a difficult line to sort of take. And I suppose something that just comes up time and time again is that empathy piece, isn’t it. I guess it perhaps didn’t show enough empathy.

Yeah, but I guess the question is, ultimately, does it matter?

KH: That is the question, isn’t it. And you’d like to think that empathy always matters, but maybe you’re right, maybe it didn’t, because, you know, ultimately they’ve recovered, so perhaps it didn’t matter.

But there were other issues as well, and the big issue was his pay. So the M&S annual report, with unfortunate timing, came out in the middle of all of this in May, and we saw that his pay package had risen by nearly 40% to 7.1 million in the year to 30th of March. So literally sort of days before the hack.

TL: I mean, we’re not saying that had anything to do with the hack, but it was widely reported in the context of the hack. And presumably that will mean pressure on his pay going forward.

KH: Yeah, I think it was just unfortunate timing. I mean, M&S had been hugely successful, so of course that was structured into that pay deal.

I think it was just bad timing that it came out in the middle of this hack, and reportedly he stands to lose around 2.4 million in performance-related pay and reduced share values because of the drop in sales as a result of the attack.

TL: There’s also the ransom issue, the several million dollar question. Did they pay? Do we know?

KH: So M&S would never be drawn on whether they paid the ransom, even when they were asked by a select committee. But honestly, I can’t imagine they did, or I imagine that the systems might have been restored a bit quicker.

Or if they did pay them, they didn’t get very much for their money. I would say Co-op was hit with a similar attack shortly after M&S by the same group, and they categorically said to the same select committee that Co-op didn’t pay a ransom.

TL: And we know that some organisations will negotiate with the hackers, because sometimes to delay things, that’s quite a usual approach. Even though they don’t necessarily end up paying the ransom.

And others will pay the ransom even though they don’t admit it publicly, so we’ll never really know, I suppose.

KH: Yeah, exactly. I don’t think we will.

So what do you think is the long-term outcome?

KH: Well, there were obviously ripples felt for other retailers, and we’ve seen that to an extent. M&S profits dropped significantly, but fairly obviously other stores saw some of the benefit from that.

So Next, in particular, saw an uplift in its sales during the attack, and although that dropped off to an extent, in October 2025 it posted a 10.5% increase in sales for the third quarter of the year. And Next also owns other brands like Reiss and FatFace.

But ultimately, and this is the bit I think is the most interesting of all of this, investors view this as a one-off. So M&S is predicting profit in the second half of 2025 and a recovery to the levels that it saw before the hack in 2024.

And there’s a quote on the BBC from somebody called Lucy Rumbold, who’s an equity research analyst at Quilter, who said that, because this is seen as a one-off, and this is a quote, normal trading can resume, and the positive story M&S had going prior to the cyber attack remains in place.

TL: And that is so interesting, because these are going to keep happening. But it does show just how important it is to have that reputation and that trust, and as you said, the positive story ahead of the crisis, so you can sustain a crisis like this.

And that, for me, is the biggest lesson from all of this. And we’ll go into more detail with our guest just after the break.

Break

TL: We’re delighted to be joined again by Jonathan Hemus, founder and CEO of Insignia, a specialist crisis management consultancy. And he’s also author of the excellent book Crisis Proof.

So welcome, Jonathan. And Jonathan, I’m going to jump straight in, if that’s okay. I’d really like to know how important was M&S’s reputation ahead of the crisis in determining how people responded to the attack.

Jonathan Hemus: Tamara, it was incredibly important. Your reputation going into a crisis, whoever you are, is incredibly important.

For someone with such a strong and clear reputation, it is a double-edged sword, because people really expect you to step up to that reputation and exemplify it in your crisis response.

So if you do that, and I believe M&S did, then it can be incredibly powerful and incredibly helpful. If you fall short and you don’t exemplify everything that’s good about your reputation, actually the damage can be even more than if you never had such a positive reputation in the first place.

The example I always give is, you know, if there were two airlines and they had a massive customer service issue, which of these two would actually suffer most? Would it be Virgin Atlantic or would it be Ryanair? Same incident. I think we know which of those two organisations would take a bigger hit than the other one.

So you’ve got to live up to what people expect of you, and that’s what M and S did.

KH: Jonathan, I don’t know what you’re talking about.

TL: Always been a fan of Virgin. It’s such an interesting thing, though, because you talk about it being such a trusted institutional brand.

Is that unique to M&S, then, do you think? And do you think that people intrinsically trusted M&S to do the right thing?

JH: So I don’t think it is unique to M&S. I do think that every organisation brings a reputation and expectations into a crisis.

And there are a whole number of organisations and individuals around whom there are very high expectations. M&S isn’t unique there.

If we think about, for example, in banking, First Direct has got a brilliant reputation for customer service, caring and being responsive. Again, a cyber attack that affected First Direct, they would lean into that reputation and that would carry them through.

If you think about individuals, think about Martin Lewis or Money Saving Expert, absolutely trusted to give unbiased, high-quality, consumer-focused advice. If that organisation or that individual were to encounter, let’s say again, a cyber breach, a data breach, they would have to step up and exemplify everything that they’ve done beforehand.

So it really counts. Not every organisation brings that in, but those that do have a real trump card. But they need to play that trump card well when the crisis breaks.

KH: Jonathan, you’ve worked with a huge number of leaders across all sorts of different organisations, I know. But let’s talk a bit about Stuart Machin’s response to the crisis, his personal response.

How do you think he did, and is that, broadly speaking, in line with what you would advise leaders to do?

JH: I think all three of us know that it’s very easy to sit here as armchair critics of leaders in crisis. Managing a crisis when you’re watching from the outside is a whole lot easier than when you’re in the middle of the turbulence that’s going on.

And within that context, there are things that I think Stuart Machin could have done better. But on the whole, I think he performed really well.

I think this was one of the best examples of leadership in a crisis. I think he fundamentally said the right things in the right way at the right time.

Yes, there could have been improvements. He was quick to communicate, the tone of voice was spot on, the frequency was good.

I think there could have been more communication later on, more frequent communication. One of the golden rules of crisis comms is that you need to communicate two or three times more frequently than you think you do in order to get that message through.

I think he was really good at treading the tightrope of keeping messaging consistent whilst also being tailored to the audience. So whether it’s investors, customers or colleagues, fundamentally the messages were aligned, but they were targeted to their individual needs.

He was personal, he was upfront. We have that initial announcement where it was signed by Stuart, literally signed by Stuart.

So yes, we could talk about it in more detail, but fundamentally he absolutely ticked all of the boxes of what an effective crisis leader should do and say.

KH: We might have slightly different views, I think, about the bump in the road comment, and I’m really interested to hear your take on that.

JH: So a couple of thoughts on the bump in the road comment.

One, I think we have now got to the point where data breaches are not new. Cyber attacks are not new. So I actually think there is increasing consumer tolerance of cyber attacks.

I’m not saying that everyone is happy if their data has been compromised, but I think there is a level of understanding that whatever organisations do, from time to time the cyber criminals will come through.

So I think the bump in the road comment would have been much more damaging five or six years ago, when data breaches were relatively new. Now, I think it is not a red flag to customers.

More than that, I think it is also a way of communicating that something bad has happened, we’re fixing it, but it’s not going to knock us off our stride, and we are going to continue to be successful going forward.

That’s an important message for investors. It’s an important message for colleagues and employees as well, because they need to have confidence that this isn’t something that’s going to destroy the business, that I’m going to have a job in a month or a year’s time.

So I can see the downside of the phrase, a bump in the road, but there are some real positives. And I think it was well judged, personally.

KH: And actually, I mean, the share price has shown that you are correct. I’ll take that, because M&S had a drop in share price, and that’s largely now been recovered, hasn’t it?

Yes. Do you think that mattered? Do you think investors were nervous at all? Was it in line with roughly what you’d expect in something like this?

JH: So absolutely, investors would have been nervous. All of the evidence over decades and decades of corporate crises is that in the immediate aftermath of a crisis, if the business is listed, their share price will drop by sometimes 10%, sometimes more.

And that is investors saying we have uncertainty. We don’t know how well the organisation is going to respond to this, we don’t know what’s going to happen next, and we don’t know how long it’s going to last.

So it is inevitable that there will be a share price drop in the immediate aftermath of a crisis. What we also know, though, is that what the organisation does and says, particularly in those first few days, has a massive influence over whether ultimately that share price does recover, as it has with M and S, or whether it plummets further.

Because actually, the management have proven not to be up to the job. So yeah, entirely predictable, and also pretty predictable that because M and S responded well, their share price recovered.

KH: Well, so can I go back to one thing about Stuart Machin’s response? The very first, I mean, the first public thing he did, obviously, was that very public communication to people.

And I’m an M&S customer, as I said earlier, and, you know, I thought it was great. What is the first thing you tell leaders to do in a situation like this?

JH: You might be able to guess my answer to this question, Kate, because we’ve talked about it before. But the very first thing any leader should do in a crisis is set their strategic intent.

And what strategic intent means, in simple terms, is what does success look like by the end of this crisis. And if Stuart Machin had decided that his strategic intent was to maintain customer trust, to maintain the support of his employees and to keep the confidence of investors, if that had been his strategic intent, and maybe it was, he did a pretty fine job of achieving it.

But you have to know what you’re seeking to achieve when the crisis breaks, because if you don’t, your efforts will be dissipated. You will do lots of things quite well, but nothing really well.

Knowing what your goal is enables you to focus your team, your communication, your messaging and your actions all in the same direction towards achieving that strategic intent.

TL: So I’m coming in with a slightly more controversial question, Jonathan, based on your experience. And you might not be able to tell me, but do organisations ever pay the ransom, and how do they actually approach ransom demands?

JH: So the short answer to that question is yes, absolutely, organisations pay ransoms. Obviously, it’s very hard to know exactly how many organisations pay, but literally this morning I was speaking with someone who does know a lot about what is going on within the cyber world behind the scenes.

His view was that over half of organisations pay the ransom, sometimes part of it, sometimes all of it. And we know in some of the recent examples, not necessarily M&S, but in some recent examples, there’s significant evidence that organisations paid ransoms.

And the reason people do that is kind of obvious. I think it’s the reason why cyber attackers are now turning very much to operationally focused businesses.

If you’re a car manufacturer, or you need to get food onto shelves and off shelves, or if you run a nuclear power station, if someone shuts your systems down, there is a massive cost, both financial and sometimes broader than that, a human cost, of not getting it back up and running really quickly.

So yeah, many organisations are paying ransoms. Clearly, aside from whether we think that’s ethical or not, the other challenge for organisations in doing that is once you pay the ransom, once word gets around amongst the cyber criminal fraternity, that here’s a soft touch, here’s someone who will pay their ransom.

So yeah, it’s a very, very tricky decision. I guess my only rudimentary piece of advice would be think about this beforehand.

Know that you may be the victim of an attack like this. Don’t wait until it’s happened to have a good old chat about what your stance would be, and have you got the right experts and consultants on hand to help you through that kind of situation.

KH: And we’ve definitely seen simulations, haven’t we, Jonathan, where people have sat in the room and you’ve asked the question, would you pay the ransom? And half the room says yes, and the other half says no.

And then there’s kind of huge argument about it. Really fascinating.

Can I ask a really stupid question that might be really stupid? Why don’t we know whether they pay? Because wouldn’t it turn up on the books?

JH: Now, I’m not an accounting expert, but I don’t believe that it would be publicly known or revealed. Some of the cost might be covered by insurance, of course, cyber insurance.

But yeah, I think it may not be publicly disclosed information. But I think, you know, in a number of recent situations, there is strong evidence and a strong belief that some organisations paid a ransom.

KH: The other thing I thought was really interesting is the response from the other retailers who are effectively helping out M&S, and then Co-op later on. And it’s such a competitive market normally.

Why do you think that was?

JH: I think there are a couple of reasons for that. Firstly, there’s kind of a clue in the name: a crisis is an extraordinary situation, and we often see at the worst of times the best of people and the best of organisations.

So actually there is an element of people just doing the right thing. I think there’s also recognition that it might be us next, and therefore we would want to be helped by our peers if that were to happen.

And I think broadening it out from the retail sector, we mentioned Virgin Atlantic earlier. Virgin Atlantic are a client, and you know what they say is, we fight tooth and nail commercially on a normal day, but if there’s ever an incident, we are all partners in the airline industry.

We are all friends together. We will collaborate, we will support, we will assist. So normal rules of engagement are suspended during a crisis.

And I think the final thing would be that when an organisation within a sector is damaged, often that can cause damage to the whole sector. So by protecting one of the players, it is helping to protect the sector as a whole.

TL: Jonathan, thank you so much for all of your insights. I’m going to just ask one last question, which is, what are the lessons for other organisations?

JH: I think some of the key lessons are, first of all, plan ahead. It is clear that M&S must have had robust crisis management plans, and it would seem that they were ready to go quickly.

And you can’t be ready to go, ready to communicate quickly, if you haven’t planned, trained and rehearsed in advance. It really helps to have leadership that wants to communicate and wants to do the right thing in a crisis.

And the final thing is to say that it requires courage to communicate in a crisis. It’s much more comfortable and much easier to keep your head down, to hope it goes away, to hope that someone might communicate on your behalf, maybe a trade association.

But true leadership in a crisis is about knowing what the right thing to do is, and then having the courage to do and say it.

Outro

You’ve been listening to “What Just Happened?” with Kate Hartley and Tamara Littleton. If you enjoyed the podcast, please subscribe, rate, and review.