eCommerceNews UK - Technology news for digital commerce decision-makers
United Kingdom
Guides
#
commerce systems
#
customer data platforms
#
data analytics
#
digital signage
#
payment technologies
Search
Story image
#
Ransomware
#
PAM
#
MFA

Marks & Spencer cyber breach highlights vulnerabilities in UK's retail sector

Today
Author image
By Catherine Knowles, Journalist

Marks & Spencer has become the latest high-profile victim of a cyber attack, with the breach igniting concerns about the vulnerability of digital infrastructure within the UK's retail sector. 

As the investigation unfolds, details have emerged suggesting a sophisticated and targeted attack, with potential links to credential abuse. It was reported that customer data (including contact details and dates of birth) have been stolen as part of the breach. As a result, customers have been prompted to update their passwords. However, experts have shared that passwords are just a small part of the puzzle and businesses need to take action urgently.

Exposing the complexities of the incident, David Mound, Senior Penetration Tester at SecurityScorecard, linked the breach to third-party risk. He identified the payroll provider Zellis, a supplier used by several major UK organisations, as a potential entry point - an attack method previously attributed to the Scattered Spider group. 

Mound commented, "In today's connected world, third-party risk isn't optional, it's foundational." 

According to SecurityScorecard's 2024 Threat Intelligence Report, half of all breaches last year were traced to third-party vulnerabilities, highlighting the fact that "nearly every organisation was connected to at least one breached vendor." The attack on Marks & Spencer reportedly saw sensitive employee data exfiltrated, with evidence suggesting the breach went undetected for weeks.

The incident has underscored the necessity for more vigilant supplier risk management and the inadequacy of traditional annual vendor reviews. Mound advocated for "real-time visibility into supplier risk, stronger identity protections like phishing-resistant multi-factor authentication (MFA), and trained helpdesk teams to prevent social engineering." He pointed to the emerging paradigm of Supply Chain Defence and Response (SCDR), which equips security teams to "act faster and limit the damage."

Spencer Young, SVP EMEA at Delinea, addressed the reported theft of customer data, urging businesses to look beyond traditional password protection. 

"Passwords alone - especially unrotated ones - leave organisations vulnerable to phishing, credential stuffing, and Pass-the-Hash attacks," said Young. 

He highlighted that privileged credential misuse was implicated in approximately 80% of breaches. To counteract these risks, Young recommended credential vaulting and automated password rotation, explaining, "By continuously rotating credentials and limiting their lifespan, organisations can invalidate stolen hashes and prevent attackers from moving freely within a network." 

While passwordless technologies such as biometrics are on the rise, Young noted that passwords will remain part of the security landscape and insisted on robust Identity Security and Privileged Access Management (PAM) to enforce frequent rotation, just-in-time access, and a Zero Trust security mindset.

Gopi Sirineni, CEO and Co-Founder of security firm Axiado, described such incidents as "a sign of how fragile digital operations can become when security isn't built into every layer of a business."

The sophistication highlighted in this breach reflects a growing trend, whereby attackers seek to exploit everyday systems and blend in until damage is done. Sirineni said, "It's not enough to defend the front door anymore. Most modern attacks don't need to break in; they log in using stolen credentials or gaps in identity checks."

Sirineni advocated for a comprehensive zero trust security approach. He called for preemptive, real-time security solutions capable of flagging threats before escalation and stressed the need for "speed in detection, speed in containment, and speed in recovery".

The expert consensus emerging from the aftermath of the Marks & Spencer breach is clear: traditional defences are no longer sufficient. Proactive, layered and intelligence-driven measures are becoming the new standard to protect both corporate and customer data in an increasingly hostile threat landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AI startups lead in Viva Technology list of Europe's top 100
ECU Worldwide partners with Rackspace for AWS cloud migration
Managing and optimising soaring levels of smart label data
UKI IT leaders see AI threats outpacing cloud risks
SugarCRM integrates sales-i to boost sales efficiency & insights
Top stories
Twilio teams with Microsoft to drive enterprise conversational AI
Informatica unveils AI Agent Engineering for data management
Amazon Prime tops list as most cancelled app & subscription
AVK appoints Sarah King to spearhead sustainability drive
Ben Savage appointed CEO as Ekco eyes EUR €100 million goal