Marks & Spencer:
How Third-Party Cyber Risk
Can Shut Down Digital Sales

Marks & Spencer’s cyber-attack illustrates how quickly a trusted brand can suffer major financial damage when third-party cyber risk is underestimated. The incident, reportedly involving ransomware and phishing activity linked to a supplier, led to a suspension of online sales and an estimated £300 million impact on profits. For a retailer with a strong digital presence, the disruption went far beyond IT inconvenience and struck directly at revenue generation.

Modern retailers rely heavily on interconnected ecosystems. E-commerce platforms, payment processors, logistics partners and marketing systems often involve dozens of external vendors. While this model enables speed and scale, it also means that security weaknesses beyond the organisation’s direct control can become a primary attack vector. In this case, attackers reportedly used compromised supplier access to penetrate Marks & Spencer’s environment, bypassing traditional perimeter defences.

The most immediate consequence was the loss of online trading capability. Unlike physical stores, digital channels cannot operate in a degraded state. When systems are taken offline to contain an attack, revenue stops instantly. Customers faced unavailable services, delayed orders and reduced confidence in the brand’s ability to safeguard their data and shopping experience. In a highly competitive retail market, even short interruptions can drive customers to alternative providers.

The incident underscores a critical shift in cyber risk: the weakest link is often not internal. Third-party relationships expand the attack surface dramatically, yet many organisations still rely on periodic questionnaires or contractual clauses as their primary control. These measures rarely provide real-time insight into a supplier’s security posture or detect compromise before it spreads.

Effective mitigation requires a more dynamic approach. Organisations should prioritise suppliers based on criticality, access level and data sensitivity, applying deeper scrutiny where potential impact is highest. Technical controls such as least-privilege access, strong authentication and continuous monitoring of third-party connections can significantly reduce risk. Equally important is contractual clarity around incident notification, forensic cooperation and recovery responsibilities.

Another key lesson lies in incident preparedness. Retailers must plan for scenarios where digital sales channels are unavailable for extended periods. This includes customer communication strategies, alternative fulfilment options and coordination with payment providers and regulators. Transparent, timely communication can help preserve trust even when services are disrupted.

At board level, the Marks & Spencer incident reinforces that cyber risk is inseparable from commercial performance. A single cyber event can erase hundreds of millions in profit, not through stolen funds, but through lost trading days and damaged customer confidence. As digital sales continue to grow, resilience of online platforms and the security of the third-party ecosystem supporting them will remain a defining factor in retail success and financial stability.

Click here to learn more about managing cyber risk and building organisational resilience.