Marks & Spencer: A Shop Window for Supply Chain Cyberattack Trauma 

Fifteen weeks of supply chain disruption. Millions of frustrated customers. Profits slashed by £300 million. Almost 7% wiped off shareholder value. The fallout from the Easter weekend cyberattack on venerable British retailer Marks & Spencer has been both profound and prolonged.

Last week, M&S announced it had finally resumed full omnichannel capabilities, with customers able to click-and-collect clothing and homeware purchases and return online orders to its 1,000-plus UK stores.

The attack is the most serious of a spate of cybersecurity incidents to hit retail supply chains during the past 12 months.

Two other examples:

• In November 2024, a ransomware attack on software vendor Blue Yonder disrupted retailers on both sides of the Atlantic, including Morrisons and Starbucks.
• In June 2025, Whole Foods Market stores across the US saw product shortages and empty shelves after one of its key distributors, United Natural Foods Inc., suffered a major cyberattack.

Zero100 analysis of almost 250 companies that reported cyberattacks between the start of 2024 and mid-2025 shows the retail sector was the most impacted (almost one-quarter of all reports). But manufacturing firms in multiple sectors have also been affected.

In May, for example, US steel maker Nucor was forced to halt production at several plants after a cybersecurity incident involving unauthorized third-party access to its IT systems.

Supply Chain Attacks Are Growing

M&S’s cyberattack, which chairman Archie Norman described as “traumatic” and “an out-of-body experience,” was a supply chain double whammy. Not only did it severely disrupt the company’s operations, but it is also thought to have originated with a supplier – IT helpdesk provider Tata Consultancy Services (although the company has denied its staff were to blame).

Supply chain cyberattacks are “a significant and growing threat,” according to the Identity Theft Resource Center, a non-profit that monitors data breaches in the US. In the first half of 2025, it identified 79 supply chain incidents affecting 690 entities (compared with 657 for the whole of 2024).

Separate analysis of over 22,000 security incidents in 2024 by Verizon Business found that 30% involved a third party – twice the level of 2023.

No wonder CEOs and chief information security officers (CISOs) surveyed by the World Economic Forum saw supply chain disruptions as a top-three cyber risk in 2025.

Growing digital interconnectivity explains why “threat actors” (nation states, hackers, criminal gangs, etc) are choosing to target supply chains. Many suppliers, particularly small- and mid-sized firms, have less robust cybersecurity protection in place than their better-resourced customers and can be easier to exploit as an entry point.

The explosive growth of generative AI and AI agents is a particular concern for business and cybersecurity leaders. These tools are already being used to execute highly scalable cyberattacks via phishing and social engineering methods of the kind used to attack M&S.

However, insecure IT systems aren’t the only way in for those seeking to wreak havoc, steal data, and make money by holding victims to ransom. Two other major sources of vulnerability are:

• Software supply chains powered by cloud services and open-source code – exemplified by the SolarWinds attack of 2020 and the CrowdStrike outage in 2024.
• The fast-growing footprint of operational technologies, including IoT devices, robotics, automated vehicles, and industrial control systems.

Invest in Cyber-Risk Tech and Talent

While cyber risk is not typically owned by supply chain, CSCOs and sourcing leaders need to collaborate with CIOs, CISOs, and their teams to minimize the frequency and severity of supply chain attacks and to build enterprise-wide cyber resilience.

Proactive investments in supply chain risk management technology and talent are required to:

• Improve the visibility of n-tier IT services, technology, and direct material supply chains to identify interdependencies and potential cyber-vulnerabilities.
• Strengthen cyber risk assessments, both during the supplier selection, due diligence, and contracting process, and on an ongoing basis using specialist risk ratings, fire drills and simulations, and other tools.
• Continuously monitor supply chain networks for intelligence on cyberattacks. Picking up early warning signals can be vital in responding quickly and limiting negative fallout.

Supply chain risk platform vendors such as Everstream Analytics and Exiger offer n-tier visibility and broad event monitoring capabilities, while specialists like SecurityScorecard and BitSight go deep on supplier cyber-risk assessment and threat intelligence. Zero100 analysis has shown that digital skills such as data analytics are lagging in supply chain risk and resilience roles and need to be prioritized alongside effective tools.

The M&S case is a timely reminder that supply chain cyberattacks can be hugely damaging and recovery times long. Better to take preventative medicine now than act only when disruptors have spread their poison.