M&S Cyberattack Wake-Up Call: Why “Low-Risk” Doesn’t Mean No Risk
When a data breach hits, most companies scramble to clean up the mess and reassure the public—and Marks & Spencer was no exception. In April 2025, the popular British retailer found itself in the middle of a cyberattack that its CEO described as “sophisticated.” But behind the corporate statements and technical terms lies a story that affects real people—millions of them.
M&S has been steadily releasing updates since the breach. The most recent came on May 13, when the company confirmed that yes, customer data had indeed been stolen. But they were quick to soften the blow: “The data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords.” Customers were told there’s no need to worry or take immediate action—though they’ll be asked to reset their passwords the next time they log in, just to be safe.
It’s good to see M&S being transparent. But there’s still a big unknown hanging in the air: how many people were actually affected? Last year, the company reported having around 9.4 million active online customers. That’s a lot of people potentially exposed. And brushing it off as “low-risk” might just lull folks into a false sense of security. Here’s why that could be a problem.
.png "M&S Cyberattack Wake-Up Call: Why “Low-Risk” Doesn’t Mean No Risk")
- M&S was hit by a major cyberattack in April. Customer data was stolen.
- The stolen info didn’t include payment card numbers or passwords—but did include personal details.
- Cybersecurity experts warn that even seemingly harmless data can be used for scams like phishing or identity fraud.
- M&S hasn’t said how many customers were impacted. Password resets are being rolled out as a precaution.
- Customers should stay alert. Turn on multi-factor authentication, be cautious with emails, and consider extra protections like virtual cards.
Even the Small Stuff Can Be Dangerous in the Wrong Hands
There’s a pattern we see all too often after a cyberattack. A company confirms it’s been hit, admits that some data was accessed, and then tries to downplay it. That’s exactly what happened with M&S. They said no passwords or payment details were taken—just some personal info. That sounds reassuring, right? But in reality, it highlights a much bigger problem in how we think about data security.
Hackers don’t always need your credit card number or password to do damage. Sometimes, all it takes is a name, phone number, or email address. This so-called “low-risk” data might not seem like a big deal, but in the wrong hands, it becomes a powerful tool. It’s exactly the kind of information used in phishing scams and social engineering tricks.
Crystal Morin, a cybersecurity expert at Sysdig, explained it perfectly when speaking to Techopedia. She said:
“Even the smallest pieces of information can be turned into weapons. Hackers don’t need much—they can use what they’ve got to launch highly targeted attacks like spear-phishing emails, fake phone calls, or even bombard you with MFA requests until you give in.”
And Ron Marsden, a developer at Maxweb Solutions, echoed the same concern. He told Techopedia:
“If a hacker knows you shop at M&S and has your name and email, that’s all they need to send a convincing email that looks like it’s from M&S. They might ask you to reset your password or confirm a fake order—and it can be incredibly believable.”
Marsden added that the goal isn’t always to steal from you right away. Often, it’s about earning your trust first—then using that trust to do real damage later.
Be Careful of Inference Attacks and Misleading Password Prompts
After the data breach, M&S tried to reassure customers by letting them know they’d need to reset their passwords before logging in again. It's a step in the right direction — but unfortunately, it's also exactly the kind of moment cybercriminals love to exploit.
Mike Logan, CEO of C2 Data Technology, which focuses on data security posture management, pointed out a deeper concern: this type of breach opens the door to inference attacks — a sneaky, quiet kind of threat that most people don’t even know exists.
So, what is an inference attack? It’s when hackers take small pieces of stolen information — like your name, email, or phone number — and combine them with public info to figure out more private things about you. Bit by bit, like putting together a puzzle, they can uncover usernames, parts of your password, or even guess answers to your security questions.
It doesn’t sound dramatic, but it’s incredibly effective. “People underestimate how clever modern hackers are,” Logan warned. “They’re very good at using scraps of data to build a much bigger, more dangerous picture.”
And it doesn’t stop there. Martin Jartelius, CISO at Outpost24, added that even “low-risk” data — like shopping habits or interests — can be used to target you with unwanted marketing or manipulative ads. Depending on what was exposed, you could start noticing ads that feel a little too personal.
What the M&S Breach Reveals About How Companies Handle Cyberattacks
This incident didn’t just expose sensitive customer information — it also revealed a harsh truth: many big companies still aren’t handling cyberattacks as seriously as they should.
With nearly 10 million online customers, M&S followed a familiar script — make a public statement, downplay the damage, and promise to tighten security. It's a routine that seems designed more for keeping up appearances than actually protecting people.
As cybersecurity expert Marsden put it bluntly: “‘Low-risk’ is just a PR term. In real-world security, all data loss is a risk.”
Marsden also acknowledged that while M&S was fairly open about the breach, it’s clear that their approach — like many others — is still reactive rather than proactive. “They were honest, which is good,” he said, “but this shows that a lot of companies still haven’t made the investment in real, forward-thinking security.”
According to experts, real protection needs to go far beyond just telling people to reset passwords. Logan emphasized that companies should be doing things like mapping out how their data flows and regularly checking for risks. On top of that, they should be using stronger defenses like zero trust systems and strict access controls.
Most importantly, when a breach happens, companies need to do more than protect their image. They need to protect their people.
John Yensen, President of Revotech Networks, hit the nail on the head: “Too often, companies focus on damage control and legal safety. But what customers really need is honest communication and quick, meaningful support.”
In the end, it’s not just about fixing the problem. It’s about how you show up for your customers when they need you most.
What M&S Customers Can Do to Protect Themselves
After a reported breach involving personal details like emails, names, and possibly phone numbers, Maxweb Solutions’ Marsden urges M&S customers to stay alert. He warns that scammers might use this info to send fake emails that look like real password reset requests. These can be incredibly convincing—and dangerous.
Despite that, David Currie, CEO of Vaultree, still recommends that your first step should be to reset your password—just to be safe.
Cybersecurity expert Yensen also shares a few practical ways to stay protected:
- Use a separate email address just for M&S orders. That way, if phishing emails come through, they’ll be easier to spot—and won’t flood your main inbox.
- Turn on multi-factor authentication (MFA) for your M&S account and any connected services. It’s an extra step, but it keeps unwanted visitors out.
- If you can, use a disposable virtual card for payments. Many banks offer this, and it makes your real card details useless if they’re ever leaked.
- Sign up for a free dark-web monitoring service. It’ll notify you if your email or phone number appears in a data leak, giving you a head start to act before things escalate.
- Finally, consider removing your info from people-search sites like Whitepages or Spokeo. It’s not fun, but it reduces how much of your data is floating around the web.
The breach is unsettling—but these steps can help you feel more in control. A little caution now can save a lot of stress later.
The Bottom Line
Even though M&S has tried to calm fears, a data breach of this scale is no small thing—and it shouldn’t be brushed off lightly.
Yes, the company has taken steps to manage the fallout, but now that it’s clear some customer data is in the hands of hackers, individuals need to stay alert. This kind of thing shakes your sense of trust—and understandably so. It’s not just about stolen information; it’s about the stress, the worry, and the “what ifs” that follow. If you’re a customer, now’s the time to be extra cautious with your digital presence. Unfortunately, the burden has shifted.
FAQs
1. Is the M&S cyberattack resolved?
Not yet. As of now, M&S is still struggling to get their online services back up and running. It's been weeks since the breach, and there's still no clear update on when things will return to normal. That uncertainty can be frustrating, especially for loyal customers trying to shop online.
2. Who is behind the M&S cyberattack?
A hacking group called Scattered Spider is being widely reported as the likely culprit. However, M&S hasn’t publicly confirmed this, leaving many people in the dark about who's really responsible.
3. How much does it cost to recover from a cyberattack?
Globally, the average cost of recovering from a cyberattack is a staggering $4.88 million, according to IBM’s 2024 report. For M&S, this incident could lead to insurance claims in the millions—not to mention the impact on customer trust and brand reputation.
- Cyber Incident – Further Update (London Stock Exchange)
.png&description=M\u0026S Cyberattack Wake-Up Call: Why “Low-Risk” Doesn’t Mean No Risk){kind=link}