In April 2025, one of Britain’s most iconic high-street retailers Marks & Spencer (M&S) was hit by a devastating cyberattack which caused major disruption across its business. With online orders suspended, deliveries delayed and customer data potentially compromised, the event shook the UK retail industry.
But the consequences of this breach extend beyond the big names. Small businesses which are often without the defences of larger firms are increasingly in the firing line. The aftermath of this large-scale cyber-attack signals urgent and relevant lessons for smaller, UK businesses.
The M&S Cyber Attack Deconstructed
The cyberattack on M&S has been linked to the hacking group Scattered Spider, a notorious threat actor known for targeting high-profile Western companies. The criminals allegedly used social engineering attack techniques to manipulate IT helpdesk staff working for Tata Consultancy Services (TCS), a third-party IT support provider contracted by M&S.
By impersonating internal staff, the attackers obtained access credentials and infiltrated M&S’s systems. The attack compromised sensitive customer data including names, contact details, order histories and addresses. M&S stated however that passwords and payment information remained secure.
The breach forced M&S to temporarily halt online orders and stock deliveries, causing significant disruption to customers and suppliers alike.
Financially, the company expects a £300 million profit hit, and it could face fines of up to £553 million under UK GDPR laws. Following the breach, M&S’s market value fell by over £750 million.
The Real-World Impact for Small Businesses
While small businesses may not handle the same volume of data or revenue, they can be just as vulnerable to the kind of cyber threats that brought M&S to a standstill. According to the UK Government’s 2024 Cyber Security Breaches Survey, 50% of small businesses experienced a cyberattack in the previous 12 months.
Here’s what small business owners can learn:
- Third-Party Vendors Can Be a Risk
One of the most significant aspects of the M&S breach was its origin: a third-party IT provider. Outsourcing IT can be a cost-effective solution, but it also expands your attack surface.
Lesson: Vet your suppliers carefully. Ask about their cybersecurity policies and ensure they follow industry best practices. Contracts should include clear data protection and breach notification clauses.
- Social Engineering is a Hacker’s Favourite Tool
Rather than breaking through firewalls, hackers often find it easier to manipulate humans. In the case of M&S, social engineering allowed attackers to impersonate legitimate staff and trick support teams into granting access.
Lesson: Cybersecurity isn’t just about software, it’s also about people. Train your staff to spot phishing emails, suspicious calls, and unusual login requests. Regular simulated phishing exercises can help prepare your team for real-world threats.
- The Financially Crippling Fallout
M&S’s brand strength may help it recover from a £300 million loss. But for a small business, even a modest data breach can lead to devastating costs. From legal fees and regulatory fines to lost revenue and customer churn.
Cyberattacks have cost UK businesses £44 billion over the past five years, with an average breach costing £2.93 million.
Lesson: Investing in cybersecurity today can save your business tomorrow.
- Customer Trust Is Fragile
M&S acted quickly to notify customers, secure systems and launch investigations. Yet even with a strong brand, trust has taken a hit.
For smaller businesses, reputation is everything and rebuilding customer confidence after a breach can be near-impossible.
Lesson: Transparent communication and pre-planned crisis responses are essential. Let your customers know you take data protection seriously and demonstrate that through robust security practices.
Why Are SMEs Becoming a More Prevalent Target?
The current trend in 2025 for cybercriminals involves turning their focus from large corporations to smaller and more vulnerable businesses. This is because:
- SMEs often lack dedicated IT security staff.
- Many operate with outdated software or weak passwords.
- Some mistakenly believe they’re “too small to target.”
This “security through obscurity” mindset is often a dangerous one. Small businesses still hold a lot of valuable data such as customer records, payment information and intellectual property.
How To Fully Protect Your Small Business
A variety of small business cyber security solutions can be implemented to ensure ultimate protection against modern cybercriminals. Here are practical steps every small business can take:
- Risk Assessments – Regularly review your systems for vulnerabilities.
- Multi-Factor Authentication (MFA) – Add extra layers of security.
- Employee Training – Teach your team to spot and report suspicious behaviour.
- Patch Management – Keep systems and software up to date.
- Incident Response Plan – Know exactly what to do when (not if) something goes wrong.
The M&S breach is a stark reminder that even the most prepared organisations can fall victim. For small businesses, the consequences can be even more severe.
Protect Your Business with QiC Systems
At QiC Systems, we specialise in cybersecurity for small and medium-sized businesses. From comprehensive audits and staff training to 24/7 threat monitoring and backup solutions from Hornetsecurity, we help you stay protected against the growing threat of cybercrime.
> Stay compliant with UK regulations
> Build customer trust through secure practices
> Avoid costly downtime and data loss
Get in touch with QiC Systems today to find out how we can help safeguard your business from cyber threats. Give us a call on 01962711000 or alternatively email at sales@qicsystems.com today.