In today’s digital-first economy, cybersecurity has shifted from being an IT concern to a boardroom priority. With high-profile breaches impacting some of the UK’s most trusted brands, the reality is clear: no organisation is too big, or too prepared, to be targeted. The recent cyber-attack on Marks & Spencer (M&S), one of the UK’s largest retailers, and similar attacks on the Co-op and Cartier are a timely reminder of the evolving threats businesses face and the high cost of digital disruption.

A Modern-Day Cyber Heist

Over the Easter weekend of 2025, M&S fell victim to a sophisticated and targeted cyber-attack. While the company’s response was swift, taking down its online ordering systems to protect customers, the damage has been significant. Nearly a month of disrupted operations is expected to cost the retailer an estimated £300 million in lost profits, additional logistics costs, and wasted inventory. This figure is especially startling given that it represents roughly a third of the company’s annual profit.

The group believed to be behind the attack, known as Scattered Spider, has a track record of targeting major British retailers, including the Co-op and Harrods. What made the M&S attack particularly effective was the method: the hackers gained access not through a vulnerability in M&S’s own systems, but via a third-party provider. From there, they reportedly used social engineering tactics to infiltrate the retailer’s operations, bypassing technology by manipulating human behaviour.

This reflects a growing trend in cyber attacks, where criminals leverage trust relationships and human error to bypass traditional security controls, emphasising the need to take cyber security in 2025 very seriously.

What Is Credential Stuffing?

One of the more insidious techniques cyber criminals now use is called credential stuffing. This method relies on a simple yet devastatingly effective assumption: that people often reuse the same usernames and passwords across multiple accounts.

Here’s how it works: hackers acquire leaked or stolen credentials, often from unrelated data breaches, and use automated tools to “stuff” those credentials into login pages across a variety of sites. If just a small percentage of those credentials are reused elsewhere, attackers can gain access to sensitive personal or corporate data.

Credential stuffing differs from traditional brute force attacks in that it doesn’t guess passwords, it uses known combinations from previous leaks. Because the login attempts use legitimate (but stolen) credentials, they can be harder for basic security systems to detect.

Although M&S has not confirmed whether credential stuffing played a role in their breach, the technique remains a common entry point for attackers once they gain access to user-facing systems, especially through third-party connections.

Why Small Mistakes Lead to Big Costs

The M&S incident reveals how even a well-prepared business, with cyberattack simulations already in place, can be caught off guard. The company’s chief executive, Stuart Machin, noted that while they were able to respond quickly, the financial and operational impact has been significant. Online sales came to a halt, food sales dropped due to supply chain issues, and manual processes had to be reinstated, slowing productivity and affecting customer experience.

This data breach also raises questions about third-party risk management. Many businesses rely on contractors, software vendors, and logistics providers who may not uphold the same level of security hygiene. These vendors can act as the “weakest link” in an otherwise robust digital infrastructure.

Moreover, the financial consequences of a breach go far beyond lost sales. There are regulatory fines, reputational damage, customer compensation, disaster recovery solutions and the long-term costs of rebuilding trust. While cyber insurance may cover some of the immediate expenses, it rarely addresses the full scope of loss.

How Businesses Can Protect Themselves

For cybersecurity in 2025, to defend against attacks like credential stuffing and third-party breaches, organisations must adopt a layered cyber security strategy. Here are some best practices:

• Use Multi-Factor Authentication (MFA): Adding a second layer of verification can prevent most credential stuffing attacks.

• Implement Password Hygiene: Encourage unique passwords and consider deploying enterprise-wide password managers.

• Conduct Third-Party Risk Assessments: Vet vendors thoroughly and include cybersecurity clauses in contracts.

• Regular Staff Training: Many attacks, including the one on M&S, involve social engineering. Train staff to recognize phishing attempts and suspicious activity.

• Monitor and Audit Continuously: Real-time monitoring of system access and behaviour analytics can flag unusual patterns before damage is done.

The M&S breach is not just a wake-up call for retailers, it’s a case study for any organisation relying on digital infrastructure. As attacks grow more targeted and financially motivated, the stakes have never been higher. Credential stuffing, third-party exploits, and human manipulation are the tools of today’s cyber criminals, and businesses must respond with vigilance, education, and investment in cyber resilience.

Cybersecurity isn’t just about technology, it’s about strategy, people, and preparedness. As the M&S case shows, those who treat it as a core business function, not just an IT concern, will be better equipped to survive and thrive in a hostile digital world.