Why M&S’s £300M Breach Should Change How You Think About Security

Here’s what kept me up last night…

M&S lost £300 million to a cyberattack that started with a phone call. Not some exotic nation-state exploit. Just someone ringing their IT helpdesk, sounding convincing, and asking for password resets.

Harrods got hit twice in 2025—430,000 customer records stolen through a third-party vendor. Louis Vuitton, Cartier, and Kering (Gucci, Balenciaga) all faced similar breaches. The combined cost across UK retail? North of £15 million.

And here’s the uncomfortable bit… these aren’t security amateurs. They’re household names with proper IT teams. Which means if you’re running a £10M or £30M D2C brand, you’re definitely on someone’s target list.

But—and this matters—you don’t need enterprise budgets to protect yourself properly. You just need to understand what actually went wrong and fix the same handful of vulnerabilities that keep appearing.

Let me walk you through what happened and what it means for your business.

What Actually Happened in 2025

M&S: The £300M Phone Call

February 2025. Hackers from the Scattered Spider group (mostly English-speaking teenagers and young adults, bizarrely) called M&S’s outsourced IT helpdesk. They impersonated executives—using information from LinkedIn and previous breaches—and convinced staff to reset credentials.

By April, they’d deployed DragonForce ransomware. Online orders stopped. Click-and-collect failed. Even contactless payments died. Customer names, addresses, emails, purchase histories… all compromised.

M&S eventually terminated their contract with Tata Consultancy Services, the provider whose helpdesk was the entry point.

The lesson? Your outsourced vendors are part of your attack surface, whether you’ve thought about it that way or not.

Harrods: Compromised Twice Through Third Parties

First attack in April alongside M&S. Then in September, a third-party provider breach exposed 430,000 customer records.

What’s critical: Harrods’ own systems were never directly breached. The vulnerability was entirely in their vendor ecosystem.

Luxury Brands: The Pattern Emerges

Cartier in June. Louis Vuitton in July—143,000 customers affected across multiple countries. Kering in September with 7.4 million email addresses stolen, including total customer spending amounts.

The pattern? Attackers specifically targeted high-value customer data that could be monetised through sophisticated fraud. Subscription brands with recurring revenue and stored payment methods fit that profile perfectly.

The Real Costs (Without the Fear-Mongering)

UK data breach costs average £3.29 million. For financial services, £5.74 million.

But let’s be honest about what this means for a £15M ARR D2C brand. You’re not facing multi-million pound IBM averages. You’re more likely looking at:

• £200k-£500k in immediate response costs (forensics, legal, notifications)

• 10-25% subscriber churn in the following quarter

• 3-6 months of depressed conversion rates as PR fallout plays out

• Potential regulatory fines (up to 4% of revenue under GDPR, though typically much lower for first offences)

More worrying than the direct costs: the trust damage. Subscription businesses run on customer relationships. One breach headline can undo years of retention work.

The Third-Party Problem

This is the bit that should genuinely concern you.

52.4% of retail breaches originate from third-party vendors. Not your Shopify store. Not your website. Your email platform, your analytics tools, your fulfilment partner, your CRM.

And here’s why that matters specifically for D2C brands: you’re probably running 15-30 integrated tools. Each one accesses customer data. Each one has different security standards. You’re only as secure as your weakest vendor.

Supply chain breaches take 267 days to detect on average. That’s nine months of attackers sitting in your ecosystem, potentially watching subscription patterns, payment methods, customer lifetime values… everything.

What Actually Works (The Practical Bit)

Right, let’s talk about what you can realistically do without hiring a CISO or spending six figures.

The 60-Minute Security Check

Block an hour this week. Seriously. Go through these five areas:

1. Your Vendor Access

List every vendor with customer data access. All of them. Shopify apps, email platforms, CRM, fulfilment, helpdesk tools, analytics… everything.

Ask each vendor:

• Do you have SOC 2 Type II or ISO 27001 certification?

• What’s your incident response protocol?

• When did you last have a security audit?

If you can’t get satisfactory answers, that vendor is your biggest risk.

2. Who Has Admin Access

M&S was breached through helpdesk credential resets. Could someone convince your team to do the same?

Who has admin access to:

• Your Shopify store

• Your domain registrar and DNS

• Your email domain (Microsoft 365, Google Workspace)

• Production customer databases

Implement multi-factor authentication everywhere this week. App-based (Google Authenticator), not SMS. No exceptions.

3. What Data You’re Actually Holding

The attacks targeted customer lists because they’re valuable.

Quick audit:

• Are you storing full payment card numbers? (You shouldn’t be—use tokenisation, if you’re using Shopify Payments, Stripe then you’re not storing full card details but check with the payment gateways that you’re using)

• Are passwords properly hashed? (Not plain text)

• How long are you keeping purchase history and behavioural data?

GDPR requires you only hold what you need for as long as necessary. Less data = smaller breach surface = lower costs when something happens.

4. Basic Encryption

Should be standard, but verify:

• SSL/TLS certificates on all pages

• HTTPS enforced sitewide

• Database encryption at rest

• Encrypted backups stored separately

If you’re on Shopify, most of this is automatic. Custom platforms need manual verification.

5. Your Incident Response Plan

M&S had run simulation exercises the year before their breach. It helped them contain it faster—which directly reduced costs.

Can you answer:

• Who discovers and reports breaches internally?

• Who’s the incident commander?

• How do you isolate affected systems?

• What’s the customer communication protocol?

Companies containing breaches within 200 days save nearly £1M versus those taking longer.

The Monthly Habits That Matter

First Monday: Software Updates Update Shopify apps, WordPress plugins, any self-hosted systems. 70% of UK retailers had critical vulnerabilities from outdated software. Attackers aren’t finding novel exploits—they’re using known vulnerabilities in unpatched systems.

Last Friday: Access Review Remove departed employees immediately. Review contractor access. Check for inactive accounts.

Quarterly: Vendor Check-In Confirm vendors still maintain their certifications. Verify they’ve addressed any publicised vulnerabilities. Review your data processing agreements.

The Right Tech Stack for Your Scale

£2-10M ARR:

• MFA everywhere

• Password manager for the team

• Shopify’s native security maximised

• Basic vendor audit completed

£10-25M ARR: Add:

• Web Application Firewall (Cloudflare or Sucuri)

• Written incident response plan

• PCI DSS compliance validated

• Quarterly vendor security reviews

£25-50M ARR: Add:

• SOC 2 Type II audit

• Annual penetration testing

• Zero Trust architecture principles

• Formal vendor risk management

You’re building progressive maturity, not achieving perfection overnight.

Understanding the Attackers (It Helps)

Scattered Spider—the group behind M&S—aren’t sophisticated nation-state actors. They’re English-speaking young adults, many from gaming communities.

Their playbook is surprisingly simple:

• Call IT helpdesks impersonating executives

• Use information from LinkedIn and previous breaches

• Employ “MFA bombing”—repeatedly triggering authentication until someone approves from frustration

• Manipulate remote work tools like Teams or Slack

Defences that specifically counter this:

• Train helpdesk staff never to reset credentials over phone without callback verification

• Use hardware security keys (YubiKey) for admin accounts

• Monitor unusual access patterns, especially after-hours

• Require video verification for sensitive requests

The sophistication isn’t in their technical capabilities. It’s in their social engineering.

What M&S Did Right (And Wrong)

Right:

• They’d run simulation exercises beforehand

• Transparent customer communication

• Contained relatively quickly (weeks, not months)

Wrong:

• Insufficient security protocols on outsourced helpdesk

• No adequate controls against social engineering

• Too long to detect the February intrusion before April encryption

The takeaway: resilience is about detection speed and containment capability, not perfect prevention.

Think of it like F1 pit stops. You optimise for speed under pressure because something will eventually need attention. The question is whether you’re prepared when it happens.

When Security Becomes Strategic

I’ve advised D2C brands through private equity due diligence. Security moves from “IT task” to “board concern” at specific inflection points:

£5M+ ARR in subscriptions: Recurring revenue means sustained relationships. One breach tanks your LTV calculations and valuation multiples.

Pre-fundraise: Decent due diligence includes security audits. Retrofitting during funding processes costs 3x preventative measures and signals operational immaturity.

International expansion: Different jurisdictions, different compliance. GDPR fines can be 4% of global revenue.

15+ integrated vendors: Third-party risk compounds exponentially. You need proper vendor management, not just contracts.

At these points, the ROI of security infrastructure flips. The cost of not having it exceeds implementation costs.

The Honest Assessment

You’re not M&S. You don’t have their resources or complexity. But you’re also more agile, which means you can implement security controls they’d struggle to coordinate across legacy systems.

The 2025 breaches teach us that attackers target valuable data behind weak controls. Your subscription customer data, renewal patterns, and lifetime value segments are exactly what they’re seeking.

But here’s the optimistic bit: most of these vulnerabilities are fixable with process changes and free tools, not massive capital investment.

MFA costs nothing. Vendor audits take time, not money. Access reviews are discipline, not budget. Incident response planning is an afternoon workshop.

The question isn’t whether you can afford to address this. It’s whether you can afford not to when you’re building something meant to scale.

That’s exactly what fractional CTO services are designed for—building investment-ready foundations that grow revenue without scaling risk. If you’re preparing for funding, expanding internationally, or just want clarity on whether your tech stack is actually secure… let’s talk.

The Honest Assessment

You’re not M&S. You don’t have their resources or complexity. But you’re also more agile, which means you can implement security controls they’d struggle to coordinate across legacy systems.

The 2025 breaches teach us that attackers target valuable data behind weak controls. Your subscription customer data, renewal patterns, and lifetime value segments are exactly what they’re seeking.

But here’s the optimistic bit: most of these vulnerabilities are fixable with process changes and free tools, not massive capital investment.

MFA costs nothing. Vendor audits take time, not money. Access reviews are discipline, not budget. Incident response planning is an afternoon workshop.

The question isn’t whether you can afford to address this. It’s whether you can afford not to when you’re building something meant to scale.

That’s exactly what fractional CTO services are designed for—building investment-ready foundations that grow revenue without scaling risk. If you’re preparing for funding, expanding internationally, or just want clarity on whether your tech stack is actually secure… let’s talk.