In late April, three of the UK’s most iconic retailers - Marks & Spencer (M&S), Co-op, and Harrods – all fell victim to the same ransomware attack. While Co-op and Harrods bounced back swiftly, M&S remains crippled. Its online operations are still largely offline, Click & Collect is unavailable, and the company is reportedly haemorrhaging over AUD$90 million in weekly revenue. The retailer just disclosed that disruptions will continue until July.

https://www.cyberdaily.au/security/12143-m-s-services-could-be-down-until-july

This isn’t just a UK problem. It’s a cautionary tale for Australian businesses of all sizes. The M&S breach reveals critical lessons in cybersecurity, crisis management, and corporate accountability - lessons we ignore at our peril.

Lesson 1: Recovery plans must be fast, not aspirational

The M&S CEO recently claimed that customers will be able to shop online “within the next few weeks,” with momentum building through June and July. Translation? They’re rebuilding their entire software infrastructure, and probably their retail inventory, from scratch. That’s not a recovery - it’s a reconstruction project.

In 2025, there’s no excuse for this. With modest investment in automation and regular disaster recovery drills, any organisation should be able to restore core systems within hours or days, not months. The cost of preparedness pales in comparison to the cost of prolonged downtime.

Lesson 2: Your supply chain is part of your attack surface

The M&S CEO said that the criminals did not breach M&S systems, they breached the systems of one of their vendors (rumoured to be one of their major IT service providers).

M&S’s systems clearly were breached, with the initial attack vector being a supplier. The CEO even described how! (i.e. via social engineering, one of the most popular and common methods used by criminals to breach an organisation).

In Australia, in the event of a breach, the OAIC holds company directors to account for ensuring that “reasonable steps” were taken to protect sensitive data. As all cybersecurity experts will attest, one of the biggest cybersecurity risks to any organisation is its suppliers. Suppliers form part of any organisations “attack surface”, so they need to be fully considered and integrated into cybersecurity strategy and implementation.

Lesson 3: Transparency builds trust. Spin destroys it

Describing a months-long disruption as a “bump in the road” is not just tone-deaf, it’s misleading. Customers have been locked out of online shopping for weeks. Shareholders are watching millions evaporate. Downplaying the severity of the breach only erodes trust.

Statements from the M&S CEO have the feint smell of those from the CEO of Optus after their 2022 breach, where their inconsistent and inaccurate statements drew widespread criticism. M&S appears to be following the same script—and it’s not a good look.

Lesson 4: Crisis comms are not optional

When disaster strikes, the worst time to figure out your messaging is in the middle of the storm. Every organisation should have a crisis communications plan for major breaches already well considered and documented in advance. This should be an integral part of an organisation’s Disaster Recovery Plan, which should in turn be part of a broader Business Continuity Plan. Being caught flat-footed not only delays recovery—it damages your brand.