Giant British retailer still reeling as systems remain in disarray – some workers told to stay home
As Marks & Spencer reels from a devastating cyberattack that has shaved nearly $1 billion off its market value, questions are mounting over whether remote access may have provided the critical foothold hackers needed to penetrate the British retailer’s digital perimeter.
With services paralysed and internal systems thrown into disarray, the crisis has not only disrupted one of the UK’s most trusted brands but also revived a fierce debate about the cyber resilience of hybrid work environments.
Over the past week, customers were unable to place online orders, contactless payments failed at tills, and returns were suspended at some locations. Nearly 200 agency workers at the company’s Leicestershire distribution hub were sent home due to a lack of orders.
Internally, some staff working from home lost access to core systems as the company scrambled to contain the breach — a move security experts say is indicative of concerns over the role that remote connections may have played.
Targeted breach in decentralised era
Although M&S has not publicly attributed the breach to remote access vulnerabilities, cybersecurity experts believe the steps taken — particularly the disabling of virtual private networks (VPNs) used by home-based staff — point to a containment strategy aimed at preventing lateral movement across its IT estate.
“In hybrid environments, once a single weak device is compromised, the attacker can move rapidly through connected systems,” said Paul Walker, a cyber specialist at Forcientia. “The reality is that many companies don’t yet have full visibility over every endpoint in a hybrid setup.”
The ransomware-style attack, suspected to be the work of the Scattered Spider group, appears to have targeted critical backend servers, possibly compromising authentication files and deploying encryptors to lock virtual machines. Though details remain scarce, the incident may have originated months earlier, highlighting the often undetected gestation period of such breaches.
A mistake by one employee caused a massive data breach at the Canada Border Services Agency (CBSA), according to a recent report.
Painful setback for revived brand
The timing of the crisis could hardly be worse for M&S, which has been enjoying a reputational and financial rebound under chief executive Stuart Machin. The company is scheduled to report its full-year results in just three weeks.
Last year, its adjusted pre-tax profits stood at £716 million — a figure now under pressure as daily online sales, worth approximately £3.5 million, stall.
Shares in the retailer have slid 7 percent since last Tuesday, reflecting mounting investor anxiety. While the long-term reputational damage may prove limited, analysts warn that short-term customer attrition is almost inevitable.
Remote work: Double-edged sword
The latest attack exposes the enduring tensions between flexible work arrangements and robust cybersecurity. The expansion of remote access, accelerated during the pandemic, introduced a wider array of devices and networks into corporate ecosystems — many outside the reach of traditional IT controls.
Home routers, unpatched personal laptops, and even distracted human behaviour can present entry points for adversaries. The hybrid model reduces oversight and, crucially, fragments real-time collaboration, making it harder for staff to flag suspicious behaviour or phishing attempts.
M&S’s internal risk disclosures had already warned of elevated cyber risks stemming from its hybrid operations. That those warnings have now materialised so dramatically offers a stark lesson for companies nationwide.
Nine in 10 data breaches in 2023 originated from phishing attacks targeting employees, as Secure Email Gateways (SEGs) struggle with more sophisticated phishing campaigns.
Broader wake-up call
M&S is not alone. UK retailers, including Morrisons, JD Sports and Currys, have all suffered recent cyberattacks, some involving customer data breaches. The incident at M&S has again drawn attention to the need for coordinated national cyber preparedness.
The retailer has reported the breach to the Information Commissioner’s Office, as required within 72 hours, and is working with the National Cyber Security Centre. Private-sector firms Microsoft, CrowdStrike and Fenix24 have been enlisted to assist in response efforts.
But experts say containment is only the beginning. The post-mortem will likely delve into how remote working policies intersected with network vulnerabilities — and whether warning signs were missed.
“As long as attackers are innovating faster than defences are evolving, incidents like this will continue,” said Walker. “But we must ask whether we’re doing enough to secure the work-from-anywhere era.”
For M&S, the coming weeks will test not only its technical recovery but its ability to reassure customers and shareholders that the trust it has built over decades remains intact in the digital age.
