When Marks & Spencer’s systems went dark over Easter weekend 2025, the incident exposed critical vulnerabilities in how even Britain’s most established retailers manage data access. The sophisticated ransomware attack by the Scattered Spider group, using Dragon Force ransomware-as-a-service, ultimately cost M&S an estimated £300 million in lost profits and wiped over £1 billion from its market capitalisation.
The attack’s success along with its relatively low tech execution reveals a troubling reality: technical sophistication matters less than foundational data governance when it comes to preventing breaches.
How a Trusted Brand Fell Victim
The attackers didn’t exploit complex technical vulnerabilities. Instead, they used social engineering to impersonate staff and convince M&S’s helpdesk to provide legitimate contractor credentials from Tata Consultancy Services. Within hours, they had accessed customer data affecting thousands of people, including names, addresses, phone numbers, and purchase histories.
The timing proved particularly damaging. April 2025 saw UK retail sales jump 1.2% month-on-month—the fourth consecutive monthly increase and the longest growth streak since 2004. M&S had been experiencing strong momentum with 6% sales growth to £13.9 billion, including a near 9% surge in food revenue. The attack brought all of that to a halt.
As of writing, M&S’s online sales remained suspended. Customers cannot place orders, recruitment has halted, and store operations still struggle with logistics, using manual workarounds. Suppliers like Greencore had to “resort to using pen and paper” to fulfill orders, while M&S increased deliveries by 20% to prevent empty shelves.
The attack’s success along with its relatively low tech execution reveals a troubling reality: technical sophistication matters less than foundational data governance when it comes to preventing breaches.
Industry-Wide Implications
The M&S incident occurs against a challenging economic backdrop. UK inflation jumped to 3.5% in April 2025, while interest rates remained at 4.25%. In this environment, organisations cannot absorb prolonged operational disruptions without significant impact on their competitive position.
The contrast between M&S’s extended recovery period and Harrods’ successful defence suggests that data management maturity increasingly determines organisational resilience. Companies with robust governance frameworks, AI-powered security systems, and comprehensive access controls not only avoid catastrophic losses but maintain operational advantages during industry-wide disruptions.
Three Retailers, One Outlier
This isn’t the first attack by this group. Three major UK retailers were targeted by the same criminal group around the same time. M&S fell victim and suffered massive operational disruption. Co-op group was also compromised and experienced significant impact.
Harrods, however, successfully prevented the attack with minimal damage.
While the specific details of Harrods’ defence remain confidential, industry sources suggest that robust data access controls and multi-layered authentication systems played a significant role in stopping the social engineering attack. This closed gate, a foundational data governance practice and part of a data governance framework that can protect against these sorts of bad actors, can be a key differentiator for organisations in quickly identifying and mitigating data and operational risk.
The True Cost of Acting Later
M&S’s experience demonstrates that cyber incidents create cascading costs beyond the immediate technical response:
Financial Impact
The company reported £300 million in lost profits for the financial year, with analysts estimating £68 million in lost online orders by mid-May alone. The stock market reaction was severe, with over £1 billion wiped from M&S’s market capitalisation. Additional costs included IT recovery efforts, cybersecurity consultants, and operational inefficiencies throughout the recovery period.
Operational Disruption
The complete suspension of online operations for clothing, home, and gift products forced the company to revert to manual processes across distribution networks. This operational friction occurred during a seasonally strong period, amplifying the impact of any product unavailability or delays. Higher food wastage resulted from disrupted supply chain coordination, while the company struggled to maintain normal inventory management.
Strategic Setbacks
Leadership attention shifted from growth initiatives to crisis management, delaying innovation projects. The company compressed two years of planned IT upgrades into six months, creating additional resource strain. In a market where consumer confidence was already fragile due to broader economic pressures, the incident posed reputational risks that extended beyond immediate financial losses.
The contrast between M&S’s extended recovery period and Harrods’ successful defence suggests that data management maturity increasingly determines organisational resilience.
Compounding the Benefits of Preventative Data Governance
While M&S rebuilds its systems, the incident reveals how proper data management practices could have mitigated both the initial breach and its operational impact:
Data Access Controls and Monitoring
Data access governance reduces operational costs and mitigates risk by ensuring the right users have access to the right data, at the right time. Research shows that integrated security solutions can reduce incident response times by up to 40%, contributing to lower incident rates and increased efficiency in security operations. Beyond protection, Access Control and Monitoring enables:
- Organisations to identify “abandoned data” that has an annual cost in storage while decreasing overall data quality
- Lower cyber insurance premiums result from strong data access governance practices as insurers perceive these organisations as lower risk
- Clear data access enable smoother collaboration across teams leading to faster decision-making and project completion
Data Classification and Segmentation
Organisations with mature data management practices classify their data by sensitivity and implement corresponding access controls. Customer personal information, for instance, might be isolated from nonessential business systems and require additional authentication layers to access. Proper data classification mitigates many types of data risk and helps advocate an architecture that prevents duplication:
- Organisations implementing effective data classification frameworks can reduce data-related risks by up to 30%
- Data governance eliminates duplicate data silos and rationalising overlapping data storage, maintenance, and licensing across the enterprise
- Content-based classification is highly effective for ensuring compliance, enhancing security, and improving data management across unstructured data, which is often leveraged by AI and other automated systems
Data Governance During Crisis
M&S’s prolonged recovery period highlights how critical data governance, as an enabler to business continuity, becomes during operational disruptions. Companies with well-documented data lineage and dependencies can make informed decisions about which systems to prioritise for restoration. Clear data ownership and stewardship roles ensure someone remains accountable for critical data assets even when normal operations are disrupted.
Beyond mitigating risk, research confirms that organisations with mature data governance report 60% higher AI project success rates and 40% faster time-to-deployment for advanced reporting, analytics, and ML models. Other key stats include:
- Poor governance costs the average firm £9.5 million a year in fines, re-work, and failed AI projects
- IDC projects organisations can realise a benefit of £1,072 per impacted user per year through well-governed automation vs manual processes
- Poor data quality costs the average organisation a staggering £9.4 million every year
The question facing business leaders isn’t whether their organisations will encounter similar threats, but whether their current data management practices provide adequate protection against increasingly sophisticated attack methods.
Practical Steps Forward
Organisations examining their own vulnerabilities in light of the M&S incident might consider several areas for immediate attention:
- Access Controls & Monitoring: Auditing all third-party access to data systems, implementing multi-factor authentication for administrative functions, and deploying automated monitoring systems that flag unusual access patterns. Establishing role-based access controls with regular permission reviews ensures that data access aligns with business needs while maintaining security.
- Data Governance Framework Review: Conducting comprehensive assessments of current data classification schemes, ownership structures, and stewardship responsibilities. Organisations should evaluate whether their data governance policies adequately address third-party risk management and establish clear escalation procedures for data security incidents.
- Data Management Capability Uplift: Investing in advanced data lineage tracking, automated data quality monitoring, and integrated backup and recovery procedures that can be tested regularly. Building cross-functional collaboration between IT, security, and business units while developing data stewardship programs that distribute accountability throughout the organisation.
Looking Ahead
The M&S incident – alongside the differing outcomes at Co-op and Harrods – provides valuable insights for organisations across industries.
It demonstrates that data management practices significantly influence not only competitive outcomes, but the very existence of trusted and longstanding institutions. Organisations should take this moment as an opportunity to examine their own data governance frameworks and access control systems.
The question facing business leaders isn’t whether their organisations will encounter similar threats, but whether their current data management practices provide adequate protection against increasingly sophisticated attack methods.
As the business impact of the M&S incident continues to unfold, it serves as a case study in how data governance decisions play a key role in organisational resilience in an increasingly stormy business environment.
What data governance practices have proven most effective in your organisation during crisis situations? Get in touch to talk to our data experts.
Sean Russell
Managing Principal, Ortecha
contentS
TALK TO AN EXPERT
Would you like to talk to our experts about how you can use data to stay ahead of disruptions?
