When you think of Marks & Spencer (M&S), you probably picture Percy Pigs, classy ready meals, and comfy pants... not cyber attacks. But over the past week, M&S has found itself dealing with a serious cyber incident that’s caused major disruption across its online and in-store services.

While the situation itself is pretty grim, their communication throughout has been a bit of a masterclass in how to handle a cyber crisis.

So, what exactly happened?

Over the Easter weekend (because, of course, attackers love to hit during holidays), M&S was hit by a "cyber incident" that forced them to suspend all online and app orders across the UK, Ireland, and some international markets.

In-store, it wasn’t much better, contactless payments and the Click & Collect service were also knocked offline. It’s worth noting that M&S haven’t yet officially confirmed if this was a ransomware attack… but if we’re being real, the scale and nature of the disruption certainly hints at something more malicious than just an IT glitch.

How did they respond?

Here’s where M&S deserve some real credit.

Rather than dragging their heels or going radio silent (a mistake we’ve sadly seen plenty of other organisations make), they were quick to:

• Bring in external cybersecurity experts
• Notify the National Cyber Security Centre and the Information Commissioner’s Office
• Communicate openly with customers, explaining the situation without corporate jargon or blame-shifting
• Their CEO, Stuart Machin, even issued a personal apology, reassuring customers that (so far) there’s no evidence any personal data has been compromised.

In a world where companies often try to downplay cyber incidents until they’re backed into a corner, this level of transparency is refreshing.

The real-world impact

For M&S, the operational pain has been very real.

Online sales, which make up around a third of their clothing and homeware revenue, ground to a halt. Some stores struggled with payments and order fulfilments. Their share price also took a bit of a knock, dropping by up to 5% following the news.

And let’s not forget the Easter timing. Bank holidays are prime shopping days - so the financial hit could be even bigger than it first appears.

What can the rest of us learn from this?

There are a few big lessons that jump out:

• Being digital-first comes with risks. Retailers (and really, all businesses) are more digital than ever. That’s brilliant for customers, but it also means the attack surface is huge - and growing.
• Preparation is everything. Having a solid, tested incident response plan is critical. When the worst happens, you can’t afford to be making it up as you go along.
• Communication is key. M&S’s openness has likely helped limit reputational damage. Customers are way more forgiving if you’re upfront with them.
• No one’s untouchable. If a brand like M&S can be hit, anyone can. Complacency is not an option.

This M&S cyber incident is a sharp reminder that cybersecurity isn’t just a back-office issue - it’s a business continuity issue, a reputation issue, and a customer trust issue.

If you’re in cybersecurity (and I imagine most of you reading this are), now’s the time to have some frank conversations with leadership about risk, resilience, and response plans. No brand is too big, too established, or too well-loved to be targeted.

And for what it’s worth, if you’re going to get hit, handling it the way M&S has so far isn’t a bad blueprint to follow.