Marks and Spencer Vendor Cyber Rating & Cyber Score

Incident Types: The types of cybersecurity incidents that have occurred include Breach, Cyber Attack and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $66.03 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (systems taken offline as precaution), and third party assistance with yes (cybersecurity experts engaged by harrods), and law enforcement notified with yes (metropolitan police and ncsc investigating), and containment measures with online orders suspended, containment measures with job listings removed, containment measures with affected systems isolated, and communication strategy with initial public disclosure (2024-04-21), communication strategy with limited updates (last statement on 2024-04-25), communication strategy with harrods assured customers of normal operations, and incident response plan activated with yes (m&s, harrods, co-op), and third party assistance with likely (m&s, co-op for forensic investigation), and containment measures with restricted internal it systems, paused internet access (harrods), containment measures with shut down parts of it systems (co-op), containment measures with suspended online orders (m&s), and remediation measures with partial restoration of online services (m&s), and recovery measures with ongoing (m&s), recovery measures with quick recovery (h&m, harrods), and communication strategy with public disclosures (all), communication strategy with customer apologies (h&m, m&s), and incident response plan activated with yes (co-op: proactive steps), incident response plan activated with yes (m&s: systems taken offline), and third party assistance with national cyber security centre (ncsc), third party assistance with national crime agency (nca), third party assistance with metropolitan police cyber crime unit, and law enforcement notified with yes (m&s: metropolitan police investigating), law enforcement notified with likely (co-op: not explicitly stated), and containment measures with shut down back-office/call center systems (co-op), containment measures with offline systems (m&s), and recovery measures with working to reduce disruption (co-op), and communication strategy with public statements (both companies), and containment measures with network segmentation (recommended), containment measures with isolation of affected systems (recommended), and remediation measures with centralized log management, remediation measures with real-time threat detection, remediation measures with patch/vulnerability management, remediation measures with identity and access control reforms (mfa, least privilege), and recovery measures with immutable backups (recommended), recovery measures with system restoration protocols, and communication strategy with transparency in public disclosures (recommended), communication strategy with stakeholder/regulator notifications, and and and incident response plan activated with yes (though details undisclosed), and containment measures with suspension of online orders, containment measures with partial halt of click-and-collect services, containment measures with isolation of compromised systems (presumed), and remediation measures with contract termination with tcs for help-desk services, remediation measures with review of third-party access controls, remediation measures with enhanced authentication for vendor logins (presumed), and recovery measures with restoration of online shopping platform, recovery measures with rebuilding supply chain operations, recovery measures with customer communication campaigns, and communication strategy with public disclosure of incident, communication strategy with statements to mps (uk parliament), communication strategy with investor updates, communication strategy with media responses, and enhanced monitoring with likely (though not explicitly stated), and incident response plan activated with likely (marks and spencer ceo initiated communications; incident response retainers mentioned as best practice), and third party assistance with cloud backup providers (e.g., amazon, google, microsoft), third party assistance with specialist third-party backup services, third party assistance with incident response retainers, and remediation measures with ceo-led transparent communication, remediation measures with cloud backups for data recovery, remediation measures with employee training on deepfake/phishing, and recovery measures with prioritization of critical applications (e.g., payroll, supplier payments), recovery measures with third-party support for restoration, and communication strategy with timely digital communications by ceo (marks and spencer), communication strategy with transparency with regulators/investors, and enhanced monitoring with early detection technologies for threat identification, and network segmentation with recommended as a defense measure, and enhanced monitoring with recommended for unusual access to shared resources, and incident response plan activated with yes, and containment measures with security measures implemented to contain the breach and prevent further spread of the malware, and communication strategy with customers advised to monitor their accounts for suspicious activity; updates to be provided as new details emerge, and containment measures with it staff worked remotely to contain the breach, and incident response plan activated with yes, and containment measures with contractor terminated, affected users notified, and remediation measures with identity theft protection services provided to affected users, and communication strategy with public disclosure, regulatory notifications, and third party assistance with cybernews (researchers), and communication strategy with filing with new hampshire attorney general’s office, and and incident response plan activated with workarounds implemented to maintain deliveries, and containment measures with order processing suspended, and communication strategy with regular updates provided to clients, and containment measures with shut down website, containment measures with paused in-store services, and remediation measures with investing hundreds of millions of pounds to bolster it systems, and communication strategy with public apologies from executives (e.g., barclays uk ceo vim maru)..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Help desk, PhishingSIM SwappingMFA Fatigue, Third-party vendor (Adidas)Potential physical access (unguarded sockets/IoT for others), IT help desks (via social engineering), Third-Party Vendors (Compromised Credentials)Unmonitored EndpointsAPI Exploitation, TCS help-desk staff credentials (impersonation/social engineering), Phishing EmailsDeepfake Impersonation (Hong Kong Case) and Contractor access.

Average Financial Loss: The average financial loss per incident is $2.75 billion.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Names/Contact Details (Adidas, Co-Op), Customer Information (M&S, No Specifics), , Customer Records (Co-Op: 6.5M), Potential Payment Information (M&S), Personally Identifiable Information (Pii), , Identity-Related Data, Customer data, Personal Identifiable Information (Pii), Kyc Information, Transaction Histories, Wallet Balances, , Names, Dates Of Birth, Addresses, Phone Numbers, Email Addresses, Order Histories, Store Coupons, Employee Records, Mobile App Infrastructure Data, , Student Records, Teacher Records, Patient Health Data, Corporate Data, , Children’S Data, Personally Identifiable Information, , Names, Emails, Purchase History, Shipping Addresses, Birth Dates, Phone Numbers and .

Incident Response Plan: The company's incident response plan is described as Yes (Systems taken offline as precaution), Yes (M&S, Harrods, Co-op), , Yes (Co-op: proactive steps), Yes (M&S: systems taken offline), , Yes (though details undisclosed), Likely (Marks and Spencer CEO initiated communications; incident response retainers mentioned as best practice), Yes, Yes, workarounds implemented to maintain deliveries.

Third-Party Assistance: The company involves third-party assistance in incident response through Yes (Cybersecurity experts engaged by Harrods), Likely (M&S, Co-op for forensic investigation), , National Cyber Security Centre (NCSC), National Crime Agency (NCA), Metropolitan Police Cyber Crime Unit, , Cloud Backup Providers (e.g., Amazon, Google, Microsoft), Specialist Third-Party Backup Services, Incident Response Retainers, , Cybernews (researchers).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Partial restoration of online services (M&S), , Centralized Log Management, Real-Time Threat Detection, Patch/Vulnerability Management, Identity and Access Control Reforms (MFA, Least Privilege), , Contract termination with TCS for help-desk services, Review of third-party access controls, Enhanced authentication for vendor logins (presumed), , CEO-Led Transparent Communication, Cloud Backups for Data Recovery, Employee Training on Deepfake/Phishing, , Identity theft protection services provided to affected users, Investing hundreds of millions of pounds to bolster IT systems.

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by online orders suspended, job listings removed, affected systems isolated, , restricted internal it systems, paused internet access (harrods), shut down parts of it systems (co-op), suspended online orders (m&s), , shut down back-office/call center systems (co-op), offline systems (m&s), , network segmentation (recommended), isolation of affected systems (recommended), , suspension of online orders, partial halt of click-and-collect services, isolation of compromised systems (presumed), , security measures implemented to contain the breach and prevent further spread of the malware, it staff worked remotely to contain the breach, contractor terminated, affected users notified, order processing suspended, shut down website, paused in-store services and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Ongoing (M&S), Quick recovery (H&M, Harrods), , Working to reduce disruption (Co-op), , Immutable Backups (Recommended), System Restoration Protocols, , Restoration of online shopping platform, Rebuilding supply chain operations, Customer communication campaigns, , Prioritization of Critical Applications (e.g., Payroll, Supplier Payments), Third-Party Support for Restoration, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through U.S. prosecutors charged 5 alleged Scattered Spider members (November 2023), , Class-action lawsuit (Yale New Haven Health), .

Key Lessons Learned: The key lessons learned from past incidents are Employees should be trained to recognize and report cyber threats promptly. Organizations should foster a culture of transparent and timely communication of cyber threats.Proactive cybersecurity measures are significantly more cost-effective than reactive responses (up to 10x cost savings).,AI and Cybercrime-as-a-Service (CaaS) are democratizing cyber attacks, increasing threat sophistication.,Cyber insurance is becoming a necessity, with premiums reducible by up to 75% through measures like XDR, MFA, and vulnerability scanning.,Outsourcing cybersecurity improves IT efficiency, performance, and reduces downtime for 68% of businesses.,Strong cybersecurity credentials can drive revenue growth and customer trust, especially as consumers become more cyber-aware.Retailers must secure third-party vendors, smart building systems, and IoT devices to reduce attack surfaces. Rapid containment (e.g., Co-op’s IT shutdown) can mitigate ransomware deployment. Public-facing disruptions (e.g., payment outages) erode customer trust and revenue, highlighting the need for resilient backup systems and transparent communication.Proactive visibility across identity, access, and infrastructure is critical to detect threats early.,Centralized log management and real-time threat detection are essential to limit breach impact.,Zero Trust and network segmentation reduce lateral movement and blast radius.,API and application monitoring must be prioritized to detect anomalous activity.,Automated vulnerability management and patching reduce exposure to known exploits.,Security culture and human resilience (e.g., phishing training) are vital to mitigate insider threats.,Incident response plans must include immutable backups, clear communication protocols, and post-incident reviews.,Transparency in breach disclosures helps retain customer trust and brand reputation.Vendor access equals attack surface; third-party personnel and processes must be treated as part of the cyber footprint.,Social engineering (e.g., impersonation of help-desk staff) remains a critical vulnerability, bypassing technical defenses.,Outsourcing does not absolve the client of accountability for cybersecurity, regulatory compliance, or business continuity.,Contract renewal timelines should account for cyber risk assessments, especially for high-access vendors.,Transparency in incident communication is essential to mitigate reputational damage and stakeholder speculation.,Retailers must map 'critical vendors' and integrate them into cybersecurity strategies, not treat them as peripheral suppliers.,Disruptions to digital platforms (e.g., online shopping) can have immediate bottom-line impacts, including market share loss to competitors.Humans remain the weakest link in cybersecurity; advanced training (e.g., deepfake/phishing awareness) is critical.,Proactive cyber resilience requires board-level engagement and accountability.,Operational continuity relies on robust backups (cloud + third-party) and clear prioritization of critical systems.,Transparent, timely communication with stakeholders (customers, investors, regulators) is essential to mitigate reputational damage.,Third-party incident response retainers and cybersecurity providers can accelerate recovery and reduce burnout.Ransomware groups are evolving into cartel-like structures to consolidate power and resources.,Affiliate recruitment and branded variants increase the scale and complexity of attacks.,Partnerships with initial access brokers (e.g., Scattered Spider) amplify threat capabilities.,Aggressive tactics (e.g., defacing rival leak sites) disrupt the cybercriminal ecosystem.,Legacy ransomware code (e.g., Conti) continues to fuel new operations.Identity-related breaches are increasing in frequency and cost, with IT help desk bypass and social engineering emerging as significant threats. Organizations must prioritize securing their identity estate and consider adopting passwordless authentication and AI-driven cybersecurity measures.Insider threats pose significant risks, especially in third-party contractor relationships. Enhanced monitoring and access controls are critical for mitigating such breaches.The attack underscores the high stakes of cybersecurity in retail, where even brief outages can ripple through digital and physical operations. Retailers must adopt a layered defense strategy, including enforced multi-factor authentication (MFA), restricted remote access, and employee training to recognize social engineering attempts.Cyber-resilience must be treated as a board-level priority, with proactive risk management and governance embedded at the highest levels. The emotional and operational toll of cyber-attacks on victims is significant.Over 80% of attacks stem from misconfigured or unpatched systems. Stronger security fundamentals (patching, MFA, monitoring) can significantly reduce risks. Prevention is more cost-effective than reacting to attacks.Supply chain vulnerabilities amplify the impact of cyber breaches; follow-on attacks (e.g., vendor email compromise) are a risk; perishable goods sectors are lucrative targets due to tight timelines.Retailers are prime targets due to vast amounts of sensitive customer data; supply chain vulnerabilities pose significant risks.Recovery workflows must be designed for adversarial conditions. High-risk actions should trigger step-up verification, and self-service resets must preserve identity assurance rather than weaken it. Recovery processes are rarely treated as high-risk security events, creating a systemic flaw in identity security.Businesses should assume a cyberattack is a matter of *when*, not *if*. The financial sector must prioritize cybersecurity investments and resilience planning.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: 1. Treat recovery workflows as high-risk security events. 2. Implement step-up verification for high-risk actions. 3. Preserve identity assurance during self-service resets. 4. Redesign recovery processes to account for modern adversarial tactics like AI-driven impersonation and social engineering., Increase investment in IT systems, enhance monitoring and response capabilities, and prepare for inevitable cyber threats., Businesses of all sizes should prioritize cyber risk management, embed it into governance, and lead from the top. Enhanced vigilance and preparedness are critical given the rising threat landscape., Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately., Enhance cybersecurity measures for supply chain partners; implement network segmentation; adopt adaptive behavioral WAF; use on-demand scrubbing services; monitor for follow-on attacks like vendor email compromise., Conduct regular audits of vendor cybersecurity practices, especially for help-desk and privileged access roles., Develop incident response playbooks specifically for third-party breaches, including clear communication protocols., Enhance training for help-desk staff to detect and resist social engineering attacks (e.g., impersonation, phishing)., Adopt zero-trust principles for vendor access, minimizing standing privileges and enforcing least-privilege access., Review outsourcing contracts to include cybersecurity SLAs, liability clauses, and breach response obligations., Monitor dark web and underground forums for signs of compromised vendor credentials or targeted attacks., Integrate vendor risk management into enterprise cybersecurity frameworks, treating critical suppliers as extensions of internal systems., Implement stricter authentication for third-party vendor access (e.g., MFA and behavioral biometrics)..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cohesity Survey, and Source: TechRadar ProUrl: https://www.techradar.com, and Source: ESET (Jake Moore, Global Cybersecurity Advisor), and Source: Al Jazeera, and Source: The Guardian (Secureworks interview), and Source: UK National Cyber Security Centre (NCSC), and Source: Dynatrace & FreedomPay Report, and Source: Royal Institution of Chartered Surveyors (RICS)Url: https://www.theguardian.com/technology/2024/may/XX/rics-cyber-attacks-smart-buildings, and Source: M&S Public Disclosure, and Source: Harrods Statement (1 May 2024), and Source: Adidas Data Breach Notice (May 2024), and Source: ReutersDate Accessed: 2024-06-19, and Source: BleepingComputer, and Source: Darktrace (Nathaniel Jones, VP of Security & AI Strategy), and Source: Security Journal UK (October 2025 Edition)Url: https://www.securityjournaluk.com, and Source: Media reports on M&S cyberattack and TCS contract termination, and Source: Statements from M&S CEO Stuart Machin to UK Parliament, and Source: TCS public statements on the incident, and Source: TechRadar Pro - Expert InsightsUrl: https://www.techradar.com/pro, and Source: Duke’s CFO Global Business Outlook, and Source: Acronis Threat Research Unit (TRU), and Source: BleepingComputer or similar cybersecurity news outlet (implied), and Source: The Independent, and Source: Cybersecurity Ventures, and Source: RSA 2026 ID IQ ReportUrl: https://www.rsa.com/content/dam/en/resource/report/2026-rsa-id-iq-report.pdf, and Source: RSA 2026 ID IQ Report InfographicUrl: https://www.rsa.com/content/dam/en/resource/infographic/2026-rsa-id-iq-report-infographic.pdf, and Source: Brazilian ID IQ Report WebinarUrl: https://www.rsa.com/webinar/brazilian-id-iq-report, and Source: Cyber Incident Description, and Source: Cyber Incident ReportDate Accessed: 2025-06-XX, and Source: Coinbase Disclosure, and Source: Shiny Lapsus Hunters (SLH) Telegram Post, and Source: Armis, and Source: Cynet Security, and Source: Cybernews, and Source: New Hampshire Attorney General’s Office, and Source: Verizon 2025 DBIR, and Source: Total Assure, and Source: Cyble, and Source: BlackFog, and Source: Palo Alto Networks 2025, and Source: Sophos 2025, and Source: Coalition 2025, and Source: Trend Micro, and Source: Zscaler, and Source: SentinelOne, and Source: National Cyber Security Centre (NCSC) Annual Review, and Source: Etay Maor, Cato Networks, and Source: Gavin Millard, Tenable, and Source: Article describing the incident, and Source: Cyber Incident Description, and Source: Cyber Incident Description, and Source: Commons Treasury Committee, and Source: HSBC UK CEO Ian Stuart, and Source: Prof Oli Buckley, Loughborough University, and Source: Lisa Forte, Red Goat Cyber Security.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Initial Public Disclosure (2024-04-21), Limited Updates (Last Statement On 2024-04-25), Harrods Assured Customers Of Normal Operations, Public Disclosures (All), Customer Apologies (H&M, M&S), Public Statements (Both Companies), Transparency In Public Disclosures (Recommended), Stakeholder/Regulator Notifications, Public Disclosure Of Incident, Statements To Mps (Uk Parliament), Investor Updates, Media Responses, Timely Digital Communications By Ceo (Marks And Spencer), Transparency With Regulators/Investors, Customers advised to monitor their accounts for suspicious activity; updates to be provided as new details emerge, Public disclosure, regulatory notifications, Filing with New Hampshire Attorney General’s Office, regular updates provided to clients, Public apologies from executives (e.g. and Barclays UK CEO Vim Maru).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Businesses urged to adopt proactive cybersecurity measures to mitigate risks from evolving threats (AI, nation-states, CaaS)., Customers advised to monitor communications from affected retailers for potential data breach notifications or protective measures., NCSC urged retailers to tighten cybersecurity; no specific advisories from M&S/Harrods, M&S warned of service disruptions; Harrods assured normal operations, Market Updates (M&S £300M Loss), Apologies And Service Updates (H&M, M&S, Co-Op), Data Breach Notifications (Adidas, Co-Op), , Public Statements Confirming Operational Status (Co-Op), No Specific Advisories Mentioned (M&S), , M&S Updates To Investors And Mps, Tcs Communications To Clients And Media, M&S Notifications About Service Disruptions, Apologies For Order Delays And Stock Shortages, , Ceo-Led Digital Communications (Marks And Spencer), Regulatory Reporting (Emphasized As Best Practice), Transparency About Breach Impact And Remediation Steps (Marks And Spencer), , Leaders should act quickly to secure their identity estate and prioritize actions to mitigate identity-related risks., Monitor accounts for suspicious activity; stolen data may be exploited in phishing schemes over the next 6 to 12 months, Affected users notified and provided with identity theft protection services, Government officials urge businesses to treat cyber-resilience as a priority, warning of intensified hostile activity. GCHQ Director emphasizes proactive risk management. and Regular updates provided to clients (supermarkets).

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Likely (M&S, Co-Op For Forensic Investigation), , National Cyber Security Centre (Ncsc), National Crime Agency (Nca), Metropolitan Police Cyber Crime Unit, , , Likely (though not explicitly stated), Cloud Backup Providers (E.G., Amazon, Google, Microsoft), Specialist Third-Party Backup Services, Incident Response Retainers, , Early Detection Technologies For Threat Identification, , Recommended For Unusual Access To Shared Resources, , Cybernews (researchers).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Improve employee training and foster a culture of transparent communication, Increase Cybersecurity Budgets (77% Of Uk Businesses Planning To Do So)., Implement Xdr, Mfa, And Vulnerability Scanning To Reduce Insurance Premiums., Adopt Outsourced Cybersecurity Solutions For Specialized Expertise., Comply With Upcoming Regulations (E.G., Cyber Security And Resilience Bill 2025)., Position Cybersecurity As A Strategic Revenue Driver, Not Just A Protective Measure., , Vendor Security Audits (Adidas), It System Segmentation (Co-Op, Harrods), Offline Payment Fallback (H&M, M&S), , Deploy Unified Log Management And Real-Time Threat Detection Platforms., Enforce Zero Trust Architecture With Strict Access Controls And Mfa., Segment Networks To Limit Breach Impact And Lateral Movement., Enhance Api/Application Monitoring For Behavioral Anomalies., Automate Vulnerability Scanning And Prioritize High-Risk Patching., Integrate Security Awareness Into Organizational Culture Via Regular Training., Test Incident Response Plans With Simulations And Ensure Immutable Backups., Improve Post-Incident Communication Transparency To Retain Customer Trust., , Termination Of Tcs Help-Desk Contract (Though M&S Claims Unrelated To Breach)., Likely Review Of All Third-Party Access Controls And Authentication Mechanisms., Potential Adoption Of Zero-Trust Architecture For Vendor Access., Enhanced Monitoring Of Help-Desk Activities For Anomalous Behavior., Reevaluation Of Outsourcing Strategies To Balance Cost Savings With Cyber Risk., , Enhanced Employee Training On Emerging Threats., Implementation Of Third-Party Backup Solutions., Board-Level Cybersecurity Accountability., Adoption Of Early Detection Technologies., , Strengthen Iam Capabilities, Adopt Passwordless Authentication, Implement Ai-Driven Cybersecurity Solutions, Enhance It Help Desk Security Protocols, , Contractor terminated, affected users notified, identity theft protection services provided, regulatory notifications completed, Prioritize Cyber Risk Management, Embed Governance, Enhance Vigilance, , Improve Patch Management, Enforce Mfa And Least-Privilege Access, Enhance Monitoring For Lateral Movement, Secure Ai And Cloud Deployments, Invest In Employee Training For Social Engineering Awareness, , Bolstering IT systems, increasing cybersecurity investments, and improving incident response planning.

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was ['Likely (M&S, linked to DragonForce)', None].

Last Attacking Group: The attacking group in the last incident were an DragonForce ransomware group, ScatteredSpiderHostile nation-statesCybercriminal groups, Scattered Spider (Octo Tempest), DragonForce (suspected for M&S and possibly others), Scattered Spider (alleged for M&S), Scattered Spider, Scattered SpiderUnidentified Fraudsters (Hong Kong Deepfake Case), DragonForceDevman (affiliate)Scattered Spider (partner), Shiny Lapsus Hunters (SLH), Scattered Spider (UNC3944), DragonForce ransomware group, Clop ransomware gangVice SocietyLockBit 5.0Medusa ransomware gangInterlock ransomwarePay2Key ransomwareSafePay ransomware, ChinaRussiaIranNorth Koreacriminal groupshacktivist groups and Cybercriminals.

Most Recent Incident Detected: The most recent incident detected was on February 2024.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2026.

Most Recent Incident Resolved: The most recent incident resolved was on ['2024-06-XX (M&S, partial recovery ongoing)', None, None, None, '2024-06-XX (H&M, within 2 hours for most stores)'].

Most Significant Data Compromised: The most significant data compromised in an incident were Customer names/contact details (Adidas, Co-op), Customer information (M&S, no payment details/passwords), None confirmed (Harrods, H&M), , , Names, gender details, phone numbers, email and postal addresses, purchase history, fashion preferences categorized by gender and age, , Personal data (names, email addresses, phone numbers, KYC information, wallet balances, transaction histories), 156GB of company data, including backups and employee profiles, 62M students and 9.5M teachers (PowerSchool), 5.6M patient records (Yale New Haven Health), 1TB of data (NASCAR), 2.7M patients' health data (DaVita), 193M victims (Change Healthcare), 16.6M customers (LoanDepot), , , Customer data including names, emails, purchase history, shipping addresses, birth dates and and phone numbers.

Most Significant System Affected: The most significant system affected in an incident were Virtual machinesContactless paymentsClick-and-collectOnline ordering and Online order processingContactless paymentsClick-and-collect servicesWarehouse logistics (Castle Donington)Gift card/return processingJob application portal and Ecommerce, contactless payments (M&S)Internal IT systems, internet access (Harrods)Payments systems (H&M, in-store)IT systems (Co-op, leading to empty shelves)Third-party customer service (Adidas) and Back-office systems (Co-op)Call centers (Co-op)Servers (M&S, encrypted)Online ordering systems (M&S)App-based ordering (M&S) and and Online Shopping PlatformClick-and-Collect OperationsSupply Chain SystemsInventory ManagementStore Stocking Systems and local storagenetwork shares via SMB and and and and and HealthcareFuel distributionRetailIdentity securityEducationCasino operationsLoan services and government operationsessential servicesretailmanufacturingaviation and and WebsitesIn-store services and .

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was likely (m&s, co-op for forensic investigation), , national cyber security centre (ncsc), national crime agency (nca), metropolitan police cyber crime unit, , cloud backup providers (e.g., amazon, google, microsoft), specialist third-party backup services, incident response retainers, , Cybernews (researchers).

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Online orders suspendedJob listings removedAffected systems isolated, Restricted internal IT systems, paused internet access (Harrods)Shut down parts of IT systems (Co-op)Suspended online orders (M&S), Shut down back-office/call center systems (Co-op)Offline systems (M&S), Network Segmentation (Recommended)Isolation of Affected Systems (Recommended), Suspension of online ordersPartial halt of click-and-collect servicesIsolation of compromised systems (presumed), Security measures implemented to contain the breach and prevent further spread of the malware, IT staff worked remotely to contain the breach, Contractor terminated, affected users notified, order processing suspended and Shut down websitePaused in-store services.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Personal data (names, email addresses, phone numbers, KYC information, wallet balances, transaction histories), 1TB of data (NASCAR), Customer names/contact details (Adidas, Co-op), Names, gender details, phone numbers, email and postal addresses, purchase history, fashion preferences categorized by gender and age, Customer information (M&S, no payment details/passwords), Customer data including names, emails, purchase history, shipping addresses, birth dates, and phone numbers, 193M victims (Change Healthcare), 16.6M customers (LoanDepot), 2.7M patients' health data (DaVita), 156GB of company data, including backups and employee profiles, None confirmed (Harrods, H&M), 5.6M patient records (Yale New Haven Health) and 62M students and 9.5M teachers (PowerSchool).

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 7.5M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was No (refused to pay).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was U.S. prosecutors charged 5 alleged Scattered Spider members (November 2023), , Class-action lawsuit (Yale New Haven Health), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Legacy ransomware code (e.g., Conti) continues to fuel new operations., Identity-related breaches are increasing in frequency and cost, with IT help desk bypass and social engineering emerging as significant threats. Organizations must prioritize securing their identity estate and consider adopting passwordless authentication and AI-driven cybersecurity measures., Insider threats pose significant risks, especially in third-party contractor relationships. Enhanced monitoring and access controls are critical for mitigating such breaches., The attack underscores the high stakes of cybersecurity in retail, where even brief outages can ripple through digital and physical operations. Retailers must adopt a layered defense strategy, including enforced multi-factor authentication (MFA), restricted remote access, and employee training to recognize social engineering attempts., Cyber-resilience must be treated as a board-level priority, with proactive risk management and governance embedded at the highest levels. The emotional and operational toll of cyber-attacks on victims is significant., Over 80% of attacks stem from misconfigured or unpatched systems. Stronger security fundamentals (patching, MFA, monitoring) can significantly reduce risks. Prevention is more cost-effective than reacting to attacks., Supply chain vulnerabilities amplify the impact of cyber breaches; follow-on attacks (e.g., vendor email compromise) are a risk; perishable goods sectors are lucrative targets due to tight timelines., Retailers are prime targets due to vast amounts of sensitive customer data; supply chain vulnerabilities pose significant risks., Recovery workflows must be designed for adversarial conditions. High-risk actions should trigger step-up verification, and self-service resets must preserve identity assurance rather than weaken it. Recovery processes are rarely treated as high-risk security events, creating a systemic flaw in identity security., Businesses should assume a cyberattack is a matter of *when*, not *if*. The financial sector must prioritize cybersecurity investments and resilience planning.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was 1. Treat recovery workflows as high-risk security events. 2. Implement step-up verification for high-risk actions. 3. Preserve identity assurance during self-service resets. 4. Redesign recovery processes to account for modern adversarial tactics like AI-driven impersonation and social engineering., Automate vulnerability scanning and prioritize patching based on risk/exploitability., Increase investment in IT systems, enhance monitoring and response capabilities, and prepare for inevitable cyber threats., Invest in advanced security measures such as XDR platforms, multi-factor authentication (MFA), and vulnerability scanning., Avoid paying ransoms to break the cycle, Conduct thorough post-incident root cause analyses to harden systems and share lessons industry-wide., Develop a communication strategy that prioritizes openness and honesty within 48 hours of an incident., Implement multi-layered defenses: MFA, adaptive behavioral WAFs, network segmentation, and enhanced monitoring., Retailers urged to enhance cybersecurity (NCSC advisory), Conduct regular audits of vendor cybersecurity practices, especially for help-desk and privileged access roles., Enhance training for help-desk staff to detect and resist social engineering attacks (e.g., impersonation, phishing)., Consumers advised to monitor bank activity and update passwords, Review outsourcing contracts to include cybersecurity SLAs, liability clauses, and breach response obligations., Integrate vendor risk management into enterprise cybersecurity frameworks, treating critical suppliers as extensions of internal systems., Prioritize cyber insurance to comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025) and reduce premiums through risk mitigation., Establish clear protocols for reporting and responding to insider threats, Elevate cybersecurity to a board-level imperative with designated expertise (e.g., Virtual CISO)., Enhanced monitoring and real-time detection capabilities, Enforced multi-factor authentication (MFA), Monitor for unusual account activity, Conduct regular simulations of cyber incidents to test response plans and recovery timelines., Maintain separate third-party backups of cloud data to ensure rapid recovery of critical applications., Apply consistent patching and endpoint protection., Adopt a visibility-first security posture with centralized log management and SIEM capabilities., Enhance cybersecurity measures for supply chain partners; implement network segmentation; adopt adaptive behavioral WAF; use on-demand scrubbing services; monitor for follow-on attacks like vendor email compromise., Treat cybersecurity as a board-level priority tied to business continuity, not just an IT issue., Enforce multi-factor authentication (MFA), Develop incident response playbooks specifically for third-party breaches, including clear communication protocols., Develop playbooks for ransomware attacks, including offline payment contingencies., Invest in regular, scenario-based security training for employees to reduce human error., Layered defense strategy, Enhance employee training on physical security (e.g., unguarded network sockets)., Implement stricter authentication for third-party vendor access (e.g., MFA, behavioral biometrics)., Employee training to recognize social engineering attempts, Ensure transparent, timely communication with stakeholders, regulators, and customers during breaches., Restricted remote access, Monitor API traffic and application behavior in real time for early threat detection., Implement robust backup practices to mitigate encryption impacts., Businesses of all sizes should prioritize cyber risk management, embed it into governance, and lead from the top. Enhanced vigilance and preparedness are critical given the rising threat landscape., Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately., Restrict lateral movement via network segmentation., Implement network segmentation and Zero Trust principles to limit breach impact., Outsource cybersecurity to leverage external expertise, especially for SMEs lacking in-house capabilities., Develop and test incident response plans with tabletop exercises and immutable backups., Educate stakeholders on the financial and operational benefits of early cybersecurity investment., Multi-Factor Authentication (MFA) hardening recommended, Establish incident response retainers for immediate access to expert assistance during breaches., Monitor and address identity-related risks proactively., Audit and segment IoT/building management systems from critical networks., Defend against affiliate-based attacks by tracking emerging ransomware strains., Implement stricter access controls for contractors and third-party vendors, Enforce least-privilege access, MFA, and continuous monitoring for identity and access controls., Invest in employee training programs that address emerging threats (e.g., deepfakes, social engineering)., Provide regular security awareness training for employees and contractors, Prioritize passwordless authentication adoption., Secure board-level investment for proactive measures, Implement AI-driven cybersecurity solutions to enhance threat detection and response., Monitor for unusual access to shared resources (e.g., SMB)., Conduct user awareness training to prevent initial access exploits., Patch vulnerabilities promptly, Implement zero-trust architecture for third-party access., Adopt zero-trust principles for vendor access, minimizing standing privileges and enforcing least-privilege access., Enhance monitoring of internal systems for unauthorized access, Conduct regular red-team exercises simulating supply-chain and RaaS attacks., Shift from reactive to proactive cybersecurity strategies to mitigate financial and operational risks., Monitor dark web and underground forums for signs of compromised vendor credentials or targeted attacks., View cybersecurity as a revenue driver, not just a cost center, to gain competitive advantage and customer trust., Enhance IT help desk security protocols to prevent social engineering attacks. and Assess and strengthen identity and access management (IAM) capabilities..

Most Recent Source: The most recent source of information about an incident are BleepingComputer or similar cybersecurity news outlet (implied), Adidas Data Breach Notice (May 2024), SentinelOne, Article describing the incident, BleepingComputer, Darktrace (Nathaniel Jones, VP of Security & AI Strategy), UK National Cyber Security Centre (NCSC), The Independent, Armis, Cohesity Survey, Acronis Threat Research Unit (TRU), Dynatrace & FreedomPay Report, Total Assure, Cyber Incident Report, TCS public statements on the incident, Verizon 2025 DBIR, New Hampshire Attorney General’s Office, Al Jazeera, Zscaler, Lisa Forte, Red Goat Cyber Security, Harrods Statement (1 May 2024), Prof Oli Buckley, Loughborough University, TechRadar Pro, Brazilian ID IQ Report Webinar, Cynet Security, BlackFog, Commons Treasury Committee, M&S Public Disclosure, Coinbase Disclosure, Shiny Lapsus Hunters (SLH) Telegram Post, Coalition 2025, Gavin Millard, Tenable, Statements from M&S CEO Stuart Machin to UK Parliament, Media reports on M&S cyberattack and TCS contract termination, ESET (Jake Moore, Global Cybersecurity Advisor), Palo Alto Networks 2025, Cyble, Reuters, Cybersecurity Ventures, Security Journal UK (October 2025 Edition), Trend Micro, RSA 2026 ID IQ Report Infographic, Cybernews, Sophos 2025, Royal Institution of Chartered Surveyors (RICS), Duke’s CFO Global Business Outlook, Etay Maor, Cato Networks, RSA 2026 ID IQ Report, HSBC UK CEO Ian Stuart, National Cyber Security Centre (NCSC) Annual Review, Cyber Incident Description, TechRadar Pro - Expert Insights and The Guardian (Secureworks interview).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.techradar.com, https://www.theguardian.com/technology/2024/may/XX/rics-cyber-attacks-smart-buildings, https://www.securityjournaluk.com, https://www.techradar.com/pro, https://www.rsa.com/content/dam/en/resource/report/2026-rsa-id-iq-report.pdf, https://www.rsa.com/content/dam/en/resource/infographic/2026-rsa-id-iq-report-infographic.pdf, https://www.rsa.com/webinar/brazilian-id-iq-report .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (general trend analysis; specific incidents may vary).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Businesses urged to adopt proactive cybersecurity measures to mitigate risks from evolving threats (AI, nation-states, CaaS)., NCSC urged retailers to tighten cybersecurity; no specific advisories from M&S/Harrods, Market updates (M&S £300m loss), M&S updates to investors and MPs, TCS communications to clients and media, CEO-led digital communications (Marks and Spencer), Regulatory reporting (emphasized as best practice), Leaders should act quickly to secure their identity estate and prioritize actions to mitigate identity-related risks., Government officials urge businesses to treat cyber-resilience as a priority, warning of intensified hostile activity. GCHQ Director emphasizes proactive risk management., Regular updates provided to clients (supermarkets), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Customers advised to monitor communications from affected retailers for potential data breach notifications or protective measures., M&S warned of service disruptions; Harrods assured normal operations, Apologies and service updates (H&M, M&S, Co-op)Data breach notifications (Adidas, Co-op), Public statements confirming operational status (Co-op)No specific advisories mentioned (M&S), M&S notifications about service disruptionsApologies for order delays and stock shortages, Transparency about breach impact and remediation steps (Marks and Spencer), Monitor accounts for suspicious activity; stolen data may be exploited in phishing schemes over the next 6 to 12 months and Affected users notified and provided with identity theft protection services.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Help desk, TCS help-desk staff credentials (impersonation/social engineering) and Contractor access.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Days to weeks (undetected dwell time).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Employee impersonation and unauthorized system access, Underinvestment in proactive cybersecurity measuresOver-reliance on in-house teams without external expertiseFailure to adapt to evolving threats (AI, CaaS, nation-state actors)Lack of comprehensive cyber insurance and resilience planning, Phishing vulnerabilitiesMFA fatigue exploitsLack of segmentation (warehouse/retail systems impacted), Third-party vendor vulnerabilities (Adidas)Insecure IoT/building systems (theoretical for Co-op/H&M)RaaS proliferation (DragonForce for M&S)Lack of payment system redundancy (H&M, M&S), Social engineering (MFA bombing, SIM swapping, phishing), Lack of centralized visibility into digital environments (logs, telemetry, user activity).Weak identity/access controls (stolen credentials, unmonitored endpoints).Siloed logging and delayed threat detection.Insufficient network segmentation enabling lateral movement.Unpatched vulnerabilities and poor API security.Inadequate security culture/training (phishing, social engineering risks)., Over-reliance on third-party vendor (TCS) for critical help-desk access without sufficient safeguards.Lack of robust authentication (e.g., MFA) for vendor logins, enabling credential theft via impersonation.Inadequate segmentation between M&S systems and TCS help-desk access, allowing lateral movement.Social engineering vulnerabilities in help-desk processes (e.g., scripted password resets).Complex outsourcing ecosystem with elevated third-party access, increasing attack surface., Human Error (e.g., falling for deepfake/phishing)Inadequate TrainingLack of Proactive Threat Detection, Exploitation of Conti’s leaked source code for new ransomware development.Leveraging affiliate networks to scale attacks (e.g., Devman, Scattered Spider).Use of SMB for lateral movement and network-wide encryption.Cartel-like coordination to dominate the ransomware ecosystem., Identity and Access Management (IAM) FailuresSocial Engineering AttacksIT Help Desk Bypass, Improper access by a contractor, lack of sufficient monitoring for insider threats, Reliance on digital supply chains, inadequate cybersecurity measures, and evolving regulatory complexities. Nearly half of surveyed retailers admit past breaches have left their systems inadequately secured., Unpatched systemsPhishingSupply chain vulnerabilitiesAI-driven attacks, state-backed threatsransomwarehacktivismexpanding digital attack surface, Poor cyber hygieneExpanding attack surfaces (cloud, AI, remote work)AI-driven tactics (phishing, deepfakes)Social engineering (e.g., ClickFix)Unpatched vulnerabilities and misconfigurations, Exploitation of vulnerabilities in global digital infrastructure, 1. Recovery processes rely on outdated assumptions (e.g., trust in human judgment, static knowledge-based questions). 2. Identity assurance is treated as disposable during recovery. 3. MFA effectiveness collapses during recovery due to weak verification requirements., Escalating cyber threats, IT system vulnerabilities, and increasing sophistication of attackers.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Improve employee training and foster a culture of transparent communication, Increase cybersecurity budgets (77% of UK businesses planning to do so).Implement XDR, MFA, and vulnerability scanning to reduce insurance premiums.Adopt outsourced cybersecurity solutions for specialized expertise.Comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025).Position cybersecurity as a strategic revenue driver, not just a protective measure., Vendor security audits (Adidas)IT system segmentation (Co-op, Harrods)Offline payment fallback (H&M, M&S), Deploy unified log management and real-time threat detection platforms.Enforce Zero Trust architecture with strict access controls and MFA.Segment networks to limit breach impact and lateral movement.Enhance API/application monitoring for behavioral anomalies.Automate vulnerability scanning and prioritize high-risk patching.Integrate security awareness into organizational culture via regular training.Test incident response plans with simulations and ensure immutable backups.Improve post-incident communication transparency to retain customer trust., Termination of TCS help-desk contract (though M&S claims unrelated to breach).Likely review of all third-party access controls and authentication mechanisms.Potential adoption of zero-trust architecture for vendor access.Enhanced monitoring of help-desk activities for anomalous behavior.Reevaluation of outsourcing strategies to balance cost savings with cyber risk., Enhanced employee training on emerging threats.Implementation of third-party backup solutions.Board-level cybersecurity accountability.Adoption of early detection technologies., Strengthen IAM capabilitiesAdopt passwordless authenticationImplement AI-driven cybersecurity solutionsEnhance IT help desk security protocols, Contractor terminated, affected users notified, identity theft protection services provided, regulatory notifications completed, prioritize cyber risk managementembed governanceenhance vigilance, Improve patch managementEnforce MFA and least-privilege accessEnhance monitoring for lateral movementSecure AI and cloud deploymentsInvest in employee training for social engineering awareness, Bolstering IT systems, increasing cybersecurity investments, and improving incident response planning.