Learning from retail cyberattacks - our practical cybersecurity tips

The recent cyberattack on retail giant Marks & Spencer serves as a stark reminder of the escalating digital threats facing organisations and stakeholders alike. 

Beginning around the Easter weekend and causing disruption now expected to last into July, the ‘highly sophisticated and targeted’ attack heavily impacted M&S’s online transactions, Click & Collect and contactless payment services and is estimated to cost the company a staggering £300 million in lost profits this year. 

The retailer’s Operations Director confirmed that personal data relating to thousands of customers was stolen by the attackers, including contact details, date of birth and online order history. 

The CEO of the National Cyber Security Centre (‘NCSC’) commented that this cyberattack, together with the recent attacks on Co-op and Harrods, should act as a wake-up call to all organisations’  to ensure that they have ‘appropriate measures in place to help prevent attacks and respond and recover effectively’.

This article will delve into the lessons learnt from these cyberattacks and provide actionable advice on how you can enhance your organisation’s cybersecurity and practice robust cyber hygiene to protect stakeholder data.   

What are the most common types of cyber-attack?

The Cyber Security Breaches Survey 2025 recently published by the Department for Science, Innovation and Technology provides detailed statistics on the types of cyberattacks experienced by businesses and charities over the last 12 months. 

Phishing was the most prevalent type of cyberattack, experienced by 85% of businesses and 86% of charities that identified any breaches or attacks this past year. Phishing involves cyber criminals using scam emails, text messages or phone calls to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime. 

Phishing attacks were followed by people impersonating organisations in emails or online, reported by 34% of businesses and 35% of charities that identified an attack, and then viruses or other malware reported by 18% of businesses and 14% of charities who identified an attack. 

Amongst those identifying any breach or attack in the previous 12 months, around half of businesses (52%) said they experienced a breach or attack at least once a month, and one in three said it happened at least once a week (29%). For charities, around two in five (39%) said they experienced a breach or attack at least on a monthly basis, and for one in five this was at least once a week (18%). 

What are the warning signs?

The NCSC has advised that the following warning signs may indicate that a data incident has occurred: 

• computers running slowly; 
• users being locked out of their accounts; 
• users being unable to access documents; 
• messages demanding a ransom for the release of files; 
• people warning you of strange emails coming out of your domain; 
• re-directed internet searches; 
• requests for unauthorised payments; and 
• unusual account activity. 

If you notice any the above indicators, it is important that you report this as soon as possible. 

What should you do if you identity a cyber-attack? 

Your organisation should have an incident response plan that should guide you in the event of a cyber-attack and include measures to contain the attack, assess the scale of the incident and report it to the right people.  

It is important to note that if the cyber-attack has resulted in the destruction, loss, alteration or unauthorised disclosure/access of personal data, your organisation must report the incident to the Information Commissioner’s Office within 72 hours of becoming aware of the breach where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, your organisation must also inform those individuals without undue delay. Make sure that that you keep an internal record of your actions with respect to any personal data impacted by the cyberattack to support any ICO report if required. 

How can your organisation reduce the risk of a cyber-attack? 

Strengthen your organisation’s cyber defences in the following ways recommended by the ICO and the NCSC: 

1. Risk-based approach to cybersecurity

Cyber risk management should support your organisational objectives and be integrated into your governance structures and board-approved policies. Your organisation should seek to understand the scope of technology, systems, services and information that you use to achieve your organisational objectives and determine how this technology, systems and services interact and where the cyber risks may lie. Make sure that any cyber security risk management approach is communicated effectively to your staff, in a way that fits in with how your organisation talks about other types of risk. Be sure to regularly review any risks identified to ensure the way your organisation manages them remains effective and appropriate. 

2. Asset identification 

Identify, document and classify the personal data your organisation processes and the assets that process it. Ensure that certain personal data has a higher classification level, such as large volumes of data, children’s data and special category data. 

3. Staff education

Ensure all staff have a baseline awareness of cyberattacks such as phishing, impersonation and malware, and consider providing additional and specific security training for any staff with responsibility for IT infrastructure and security services. 

 4. Access controls 

Implement appropriately strong access controls for systems that process personal data. For internet facing services, such as remote access solutions, enable multi-factor authentication other alternatively strong access controls. 

 5. Vulnerability management

Implement a policy that defines your organisation’s approach to patch management, prioritising patches to internet-facing services as well as critical and high risk patches. 

 6. Incident management 

Ensure your organisation has a formal incident response plan in place providing written guidance on who to notify of breaches, the roles or responsibilities assigned to specific individuals during or after an incident, external communications and public engagement plans and when to report incidents externally. Any such incident response plan should have built in contingencies for staff unavailability so that decisions can be effectively taken to minimise disruption and ensure compliance with reporting obligations.

7. Disaster recovery

Prepare disaster recovery and business continuity plans to support the organisation in restoring personal data in a timely manner in the event of a cyberattack. 

As the digital space continues to evolve, so will the threats facing organisations. This means that staying cyber secure will be an ongoing process and not a one-time fix. 

If you need advice on this process or how best to keep personal data safe, please contact Hetal Ruparelia or Georgia Maskell.