Cyber security laptop with locked symbol

Written on 23 May 2025

Comment on M&S cyber attack: Cybersecurity is not enough… you need to be cyber resilient

Comment by Gavin Butler, Senior Lecturer in Cyber Security at BNU.

We've all heard of or been even affected by the cyber security issues faced by M&S over the last three or so weeks.

The hacking group with the moniker ‘Dragon Force’ brought down much of the M&S networks through what appears to be a now rather unsophisticated attack using old social engineering techniques to access systems via a third party B2B relationship. The hack was successful in that it it locked M&S staff out of systems and customers out of online platforms with significant disruption caused across the company from supply chain communications through to online ordering of products and delivery. At an estimated £40M weekly losses in potential sales this is huge and perhaps we’ve not seen such a significant retailer brought to its knees in recent times in such circumstances.

The plan for Dragon Force was to utilise Ransomware-as-a-service from established tech-based organised crime groups to attempt to extort money from the target victim through stealing and/or encrypting critical data and demanding a fee to unlock and access the data and further fees to delete and or not distribute the data affected.

It is no wonder that organised crime has ‘professionalised’ and ‘monetarised’ the opportunities to provide the means for cooperatives to attack legitimate organisations. However, in over 30 years of being in this industry, this is certainly no surprise to ‘the good guys’. For example, the ‘Drink or Die’ group that operated at the turn of the century defrauded the software industry of potentially £4M sales of licensed applications by distributing programmes illegally and freely via a very organised network of members across the UK and the US. Even earlier than that in the mid 1990s it was possible for frankly quite technologically-light criminals to globally distribute the Sub-seven Virus (malware) through websites in Brazil with the only information required being the IP address of the victim. You didn’t need to be a programmer, script kiddie or a computer scientist to be a cyber criminal. Making money out cyber-insecurity is a no-brainer for the criminal underworld and with a sense of anonymity for the attackers may even make a criminal career even more attractive than perhaps more traditional crimes have done in the past…. Particularly for the tech-savvy Gen-Z population?

Unlike the attempted hack of the Co-op at the same time as M&S, in which the Co-op was reported to have physically and literally “pulled the plug” on its network with a plan to rebuild and reboot a clean system, the M&S hack has caused significantly more reputational damage. The Marks and Spencer brand name exudes quality with a genuine global reach that also represents the UK’s culture and traditions in trusted centuries old retail. M&S will have internal cybersecurity teams and a Chief Information Security Officer (CISO) overseeing operations and championing cybersecurity protocols at a strategic level, which have unfortunately failed to keep the organisation secure, and once they are back in a state of normality, critical reflection needs to take place, deciphering how this situation happened on their watch. It would surprise me further if a UK parliamentary committee doesn’t demand an audience with the top brass from M&S in the near future.

Cybersecurity does not provide 100% security. In fact, what we need to advocate for now is the need for cyber resilience rather than cybersecurity. It is not a matter of if threats may arise, but actually when. A resilience mindset recognises this and prevents an organisation falling into a false sense of security by assuming its security is strong enough to prevent any kind of potential breach. These events will happen. They’ll happen at times which we perceive to be of maximum inconvenience, but which malicious actors will exploit and no amount of planning will fully protect us if we are not able to be flexible, agile and robustly determined in our ongoing monitoring and response to threats.

As Dragon Force doesn’t appear to have made any money from these hacks, expect the stolen data to be sold on to other organised crime groups that will use the customer data to attempt social engineering scams via phone, text, email or even in person posing as ‘official’ representatives from M&S, banks or indeed law enforcement. This could be you, me, your grandparents or indeed anyone that has shopped at M&S. There will no doubt be more future victims as collateral fallout from this event. Again it’s not a matter of if but when…

I think further to this news story, what is now of greater concern is that Dragon Force will (as reported) target other economic sectors, because prudent retailers will rapidly and sensibly react to the M&S situation by reviewing their own levels of cyber resilience and so potentially make any hacking more challenging. So, let’s pick a more vulnerable target?

We hear this week from the UK Ministry of Justice that the legal aid online services has been hit and millions of criminal case related records have been acquired by external agents, but ransomware criminals are not politically or ideologically motivated like terrorist groups… they just want money and want you to pay. So I’d expect to to see an increase in attacks on micro business and SMEs which don’t have the same levels of resources to focus on cyber resilience or are dependent of an even more complex B2B series of relationships to operate than a multi-national. But I’d also not be surprised to see a concerted effort to bring down educational institutions (schools, FE colleges and Universities), particularly at known critical time periods such as assessment periods for students (May-June) or the key recruitment period of new students (Aug-Sept).

Whatever industry you are in, public or private, the fact that a company like M&S with a turnover of £13B can’t protect itself is a wake-up call for everyone. Many organisations do not have a CISO or even separate the security role from the more focused IT systems support Chief Information Officer (CIO) role… and that only whets the appetite of the attackers knowing that levels of cybersecurity ignorance (or potential incompetence) must be present.

There are contemporary and trusted analytical organisational resilience models such as 4Sight, BSI and ICOR’s developed insights that can be used as reflective tools to assess and to develop strategic, tactical and operational initiatives to ensure robustness, agility and flexibility in cyber resilience. We need to use them. We need a reset of our cyber thinking…

Remember cybersecurity is not 100% secure… that’s why you need ‘cyber resilience’ in this 21st century tech-dependent and obsessed world.