What Would a CISO Ask When Reading About the M&S Cyberattack?
Hello folks,
I’ve been following this incident very closely over the past few weeks, and it’s clear that it has shaken almost the entire UK retail industry — not just with the M&S breach, but also with other targeted or attempted attacks on retailers like Co-op and Harrods.
These attacks, especially on Marks & Spencer (M&S) is more than just another headline. It’s a real-world reminder of how fast things can unravel in a digital world—and how wide the impact can be.
This wasn’t just a tech issue. It shook operations, customer trust, and even hit the top leadership. Here’s what we know so far:
M&S was forced to suspend online orders, with in-store operations also affected.
Nearly 9.4 million customer records may have been compromised.
The attacker reportedly gained access through a third-party vendor—yet another reminder that your supply chain can be your weakest link.
It’s also been reported that the CEO’s bonus and remuneration will take a significant hit due to this breach.
When something like this happens, it’s normal to react with “Wah, lucky it wasn’t us.” But if you wear the hat of a security leader (or anyone who cares about protecting a business), the better mindset is:
“What can we learn from this?”
Here are the questions that came to my mind. Not to judge, but to learn.
1. How did they get in?
What was the entry point? Phishing? Compromised credentials? A supplier? If it's a case of credential misuse, were they using multi-factor authentication (MFA)? Was it enforced for privileged accounts?
2. How long were they inside?
This is always a tough one. If the attackers were in for days or weeks before detection, that tells us a lot about gaps in visibility and detection. Was there any endpoint detection (EDR)? Was network activity being monitored?
3. What did they access and how fast?
If attackers got access to millions of customer records, you'd want to know: Were data access controls working? Was data encrypted at rest and in transit? Was there anomaly detection on large data pulls?
4. How did the team respond?
We heard stories of chaos—staff using personal WhatsApp groups, some even sleeping at the office. This points to either a lack of preparedness, or a plan that existed on paper but not in practice.
So, the big question is: Was the incident response plan ever tested? Or just signed off during audits and forgotten?
5. Was the board kept in the loop?
When a crisis hits, board involvement is key. Did the board know enough about the state of cyber readiness before the incident? Were they briefed in real time during the incident response?
6. Could this be a supply chain breach?
With big retailers like M&S, there’s a long list of third-party systems and service providers. It’s fair to ask: Was this attack a direct hit, or did the attacker come in via a vendor or contractor (there is already a rumour about this)?
7. How did they manage public communication?
It’s not just about fixing the breach—it’s about owning the narrative. Did M&S: Notify affected customers quickly and clearly? Started offering any remediation like credit monitoring? Stay transparent without triggering panic?
8. Is this a wake-up call for the industry?
Yes. Always is. But more importantly, what are we doing differently after reading this? As CISOs, IT heads, and risk managers, we should walk into our next leadership meeting and ask:
“If this happened to us today, are we ready?”
“Would we find out fast enough?”
“Would we know what to say and who to call?”
Closing Thoughts
It’s easy to comment from the sidelines. But incidents like this aren’t just someone else’s problem. They’re a mirror—and the reflection isn’t always pretty.
If you’re in security, take this as your nudge to revisit:
Your detection and response strategy
Your board-level briefings
Your crisis comms playbook
And your relationships with IT, legal, and PR
Because when a breach hits, it’s not just about technology. It’s about trust, leadership, and execution under pressure.
That’s all for this week, folks.
Cheers,
Sivanathan