Marks & Spencer (M&S) recently experienced a significant data breach resulting from sophisticated ransomware, which crippled its online operations for more than three weeks, costing the retailer £43m a week in a loss of sales, according to analysis from the Bank of America Global Research. It also left a significant impact on its privacy and cybersecurity operations, prompting a statement from the Information Commission Office (ICO) to reassure customers.
Incidents like this can be quickly contained if the data security team and data protection officers (DPOs) work closely and quickly together to follow best practice protocols in situations of a data breach.
The retailer’s IT systems were attacked during the Easter weekend, leading to unauthorised access to customer personal data, which may have included telephone numbers, home addresses and online order histories. Importantly, M&S added that the data theft did not include usable payment, card details or any account passwords. The compromised data, though not including financial information, still posed risks to customer privacy and trust. Identifying what data has been compromised is a key first step, after which the data protection officers can assess whether the incident is reportable to the regulator.
Online orders through the website, app, and phone were subsequently suspended (from April 25), with no confirmed date for resumption, which has had a ripple effect on services such as the retailer’s loyalty offers, contactless payments and momentarily impacted in-store stock availability.
With online orders playing such a central role in the modern shopping experience, this incident serves as a reminder that organisations’ data protection teams must have robust and well-tested incident response plans in place to minimise disruption and avoid prolonged service outages, which have financial and regulatory implications.
This breach is not an isolated case - the ICO confirmed similar ransomware-related breaches at Co-op and Harrods. While M&S acted promptly by engaging cybersecurity professionals and notifying relevant authorities, including the ICO and the National Cyber Security Centre, these repeated attacks across major retailers highlight the urgent need for organisations to reassess their data governance frameworks and address potential high-risk issues immediately.
The breaches also reiterate the need for organisations to embed privacy considerations into the foundation of their operations
Having a DPO build a robust privacy governance framework into an organisation’s operations from the outset can help to reduce the risk of a breach and ensure that an appropriate response process is followed and tested continually. HewardMills experienced data protection professionals are well-positioned to support organisations navigating these challenges and mitigating future data breach implications. From reviewing your organisation’s current privacy posture to outsourced data protection services, HewardMills can provide strategic advice that mitigates these and other privacy risks.
