Cyber security risk is no longer confined to IT departments: it’s now a board-level issue.

As our partner, Mimecast, highlighted in their State of Human Risk Report, human risk is now the biggest cybersecurity challenge for organisations in 2025 and this year’s cyber incidents involving Marks & Spencer and Co-op serve as a wake-up call for business leaders across the UK, with both high-street giants suffering operational disruption and reputational scrutiny due to vulnerabilities in their third-party providers. These events underscore a growing reality: in today’s interconnected world, a business is only as secure as the people, partners and suppliers it relies on.

For executive teams, these breaches are a timely reminder that cyber resilience must extend beyond your own organisation. Supplier risk management, incident response preparedness, and robust governance are now critical components of effective leadership and strategic oversight.

In this blog, our Cyber & Information Security Manager, James Scott, reviews what went wrong at M&S and Co-op, the potential impact of a cyber security breach and why you need to review your current cyber security posture.

Case studies: what went wrong at M&S and Co‑Op?

Marks & Spencer (M&S)

In late April 2025, attackers from the Scattered Spider/DragonForce group breached M&S via social engineering on a third-party contractor, not through direct system exploits.

The breach encrypted systems with ransomware and compromised personal data – though not payment or password data – and halted online orders for nearly seven weeks, causing up to £300 million in lost profits and £3.8m in daily sales losses.

The incident revealed missing multi-factor authentication, poor vendor access controls, segmentation gaps, weak monitoring, and slow recovery processes.

Co‑Op

Also under attack in late April/May 2025, Co‑Op faced credential theft and data exfiltration of the personal details of millions, though not financial data.

It curbed damage through swift shutdowns, but still exposed vendor and remote access vulnerabilities and reactive rather than proactive monitoring.

Key issues both cases shared:

  1. Poor vendor and supply chain access controls: social engineering enabled password resets without MFA or rigorous verification
  2. Lack of segmentation and least‑privilege enforcement
  3. Incomplete monitoring and alerting
  4. Delayed patching and slow recovery backups
  5. Missing layered defences (such as MFA, EDR, network segmentation)

What’s at stake as a result of a cyber security breach?

Profit hit

M&S’s online store – including its app – was shuttered for an extended period. Each day offline meant significant revenue loss: an estimated £3.8M per day. Overall, the attack is expected to reduce M&S’s annual operating profit by roughly £300 million or roughly ~30% of the previous year’s profit. Insurance and cost-saving measures may recover some of this, but the net impact is undeniably huge.

Customer trust shaken

Both M&S and Co-op built their brands on reliability and quality. The cyberattack undermined this image by causing errors, outages, and empty shelves, directly affecting the customer experience. Customers expecting seamless service instead encountered apologies and inconvenience – a hit to M&S’s brand reputation for dependability, especially.

Data breach fears

News that personal data was stolen (even if limited to contact details and birthdays) raised concern among customers. Such breaches open customers to greater fraud/ scam risk – attackers might impersonate M&S or use leaked info to trick people. This “increased risk of scams” has real psychological impact, making customers feel vulnerable.

GDPR and regulatory scrutiny

The compromise of customer personal data (names, addresses, birthdates, order history) puts M&S under the microscope of privacy regulators. Under GDPR and UK data laws, M&S could face investigations or fines. Regulators have stressed that even if payment data wasn’t exposed, any personal data breach is taken seriously.

Legal and public fallout

In Scotland, a group of customers is pursuing an unprecedented class-action lawsuit against M&S, seeking compensation for distress and possible losses. The breach sparked widespread media and social media attention, forcing mass customer apologies and dealing a significant reputational blow to the retailer.

Supply chain chaos

M&S were forced to turn off automated stock management systems, resorting to manual processes. This led to empty shelves in stores and delayed restocking; fresh food, drinks, and clothing deliveries were all impacted, causing customer frustration and further lost sales.

Why it’s time to review your current security posture

The M&S and Co-op incidents illustrate a broader trend that UK executives can’t afford to ignore. As leaders, it’s no longer enough to ask if your systems are protected – you must also ask if your suppliers are prepared, too. When did your board last stress-test your cyber strategy? And not just for compliance, but for real-world resilience?

Cyber security must be viewed not as a cost, but as an enabler of trust, continuity, and long-term value. Now is the time to evaluate your organisation’s cyber strategy from the top down. At Arc, we’re helping businesses of all sizes to rethink their approach with managed detection, response, advisory services and a range of cyber security capabilities designed to scale, adapt and defend against fast-moving threats.

Cybersecurity is no longer “just IT’s job”: it’s both a board-level and business-wide priority. If your strategy hasn’t evolved, the time to act is now. Talk to our team today.