Marks & Spencer did the right thing by self-reporting its recent cybersecurity incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). That kind of transparency is essential, not just for managing reputational risk, but for limiting regulatory fallout.
Under UK GDPR, failing to protect personal data or report breaches promptly can lead to fines of up to £17.5 million, or 4% of global turnover. And if M&S handles EU customer data, it may also come under the scope of the EU’s NIS2 Directive, which can carry penalties of up to €10 million.
But let’s be clear, regulatory exposure is just one piece of the puzzle. The real test is how quickly and transparently an organization responds, and whether it had strong cyber resilience measures in place before the breach.
VP of EMEA, SonicWall.
A complex attack
At SonicWall, we saw that in 2024, organizations under critical attack remained in crisis mode for an average of 68 days. These aren’t smash-and-grab attacks, they’re persistent, they’re sophisticated, and they leave lasting damage. In M&S’s case, the attack has already caused weeks of disruption and knocked an estimated £700 million off its market value alongside an eye-watering £300m hit to profits.
Unfortunately, this isn’t an outlier. It reflects a broader trend we’ve tracked in our for quite some time: cyberattacks are becoming faster, smarter, and more aggressive. Threat actors are now exploiting newly disclosed vulnerabilities within 48 hours - far faster than most organization's patch management schedules. Retail is especially vulnerable, with its complex composable tech stacks, aging infrastructure, and inconsistent cyber hygiene.
Ransomware isn’t going anywhere
This incident also underscores a hard truth: ransomware is not going away. In fact, it’s thriving and becoming more accessible. A few years ago, attackers needed to write their own malicious code. Today, they can buy a ready-to-deploy ransomware kit for as little as $50 on the dark web.
Ransomware is uniquely damaging for retailers and any organization that provides direct, daily services. It doesn’t just steal data, it shuts down business operations. That makes it a powerful leverage tool for extortion. When every hour of downtime equals lost revenue, many victims feel pressure to pay just to resume operations.
And let’s not forget the broader ecosystem. Supply chain disruptions have already become a recurring issue over the past three years, driven by remote work, macroeconomic shocks, and increased digitization. A cyberattack at one point in the supply chain can ripple through others, compounding the impact. Organizations can’t afford to treat cybersecurity as someone else’s problem.
That’s why companies need to assume they will be targeted and build out layered defenses, clear incident response plans, and robust consumer notification processes. Regular training for employees on phishing, password management, and best practices must be a baseline. Regulators and industry groups should also push for greater transparency and enforceable standards to protect consumers and stakeholders from material damage when things go wrong.
Organizations are struggling to keep up
We’re in the middle of a perfect storm: rapid digitization, heavy third-party reliance, and the rise of financially motivated, well-organized cybercriminal groups. Retailers, in particular, offer a large and often soft target, their IT environments are sprawling, interdependent and identity management controls are frequently weak. That’s a recipe for disaster.
We saw this play out in both the M&S and Legal Aid Agency breaches, where attackers used identity-based tactics and advanced social engineering to get in and move laterally.
In many cases, a lot of businesses are still trying to protect yesterday’s IT infrastructure from yesterday’s threats. Whether it’s misconfigured Active Directory, third-party IT suppliers, poorly implemented MFA, or outdated detection tools, the gaps being exploited today show a much deeper issue, not just a tech gap, but a leadership and culture gap.
What needs to happen now?
Sadly, it’s probably going to get worse before it gets better. Attackers are innovating faster than defenders can respond. That means organizations need to rethink their priorities, fast. The top of the list should include:
- Strengthening identity and access management
- Investing in real-time threat detection and response
- Reducing third-party and supply chain risk
- Embedding security into the culture, from the boardroom to the front lines
Cybersecurity isn’t just an IT problem anymore, it’s a core part of business resilience. Companies that can’t recover quickly from a cyberattack may not recover at all.
Cyber’s “big one”
So what about that “big one” cyberattack people in the industry have warned about? It’s not just theory anymore. The tactics we’re seeing in retail and legal breaches, ransomware, credential theft, lateral movement, are exactly what could bring down critical infrastructure like healthcare, utilities, or government systems.
We haven’t seen a full-scale ‘black swan’ event in the UK yet. But if the current trajectory continues, it’s not a question of if, it’s when.
Unless we move faster and smarter across every sector, we risk being caught unprepared by a new generation of cyber threats that are already here.
We list the best internet security suites.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.