It is one year since Marks & Spencer disclosed the cyber attack that took down its tills, click-and-collect and online store. The attackers did not exploit a zero-day - they phoned an outsourced IT helpdesk and got a password reset on a third-party supplier's account. We walk through what the M&S, Co-op and Harrods incidents really tell UK schools, charities and smaller businesses about supplier and service-desk risk - and the five things to change in the next ninety days.
Key takeaways
- On 22 April 2025 Marks & Spencer disclosed a cyber attack that ultimately cost around £300m in lost profit. Co-op and Harrods were hit within ten days. The Cyber Monitoring Centre classed the cluster as a Category 2 event with sector-wide damages estimated at £270-440m.
- The initial access route was not exotic. Scattered Spider impersonated employees to an outsourced IT helpdesk, got password resets, and used the credentials of two staff at third-party IT supplier Tata Consultancy Services to walk into M&S's network. From there it was Active Directory, ransomware and data exfiltration.
- The four ingredients that made the attack succeed - a helpdesk that resets credentials on a phone call, an unmapped supplier list with privileged accounts, a soft Active Directory or Entra ID estate, and a continuity plan that assumes systems will be back tomorrow - are present in almost every smaller organisation we audit.
- Public-sector exposure is rising. The Government's signalled ban on ransomware payments by public-sector bodies and Critical National Infrastructure operators is on track to land before the end of 2026. For schools, councils and NHS bodies that means recovery has to actually work without the option of paying.
- Five cheap actions for the next 90 days: write down a helpdesk reset verification policy and put it in supplier contracts; produce a real privileged-supplier list and ask each one how they verify reset requests; treat AD/Entra ID as a crown jewel with tiered admin and tested directory recovery; tabletop a week-long offline scenario; and walk your supplier list against the Cyber Essentials Danzell question set.
A year ago this week, on 22 April 2025, Marks and Spencer told the stock market it had a cyber incident. By the following weekend the contactless tills had failed, click-and-collect was off, and the company was racing the clock on a Scattered Spider intrusion that would eventually cost it around £300 million in lost profit and pull in the Co-op and Harrods over the following ten days. The Cyber Monitoring Centre later classified the cluster of attacks as a Category 2 event on its hurricane scale, with sector-wide damages estimated between £270 million and £440 million.
The one-year mark is a useful checkpoint, because the public retelling has now had time to settle into something more truthful than the early breach reporting. The attackers did not exploit some exotic zero-day. They did not slip past M&S's perimeter using a clever piece of malware. They picked up a phone, convinced an outsourced IT service desk that they were a senior employee, got a password reset, and used the credentials of two staff at a third-party IT supplier to walk into the network. From there it was Active Directory and ransomware on the way out.
That story matters for ReadyToday's audience - schools, charities and smaller businesses - even though none of you operate at M&S's scale. The mechanics are not exotic, the controls that would have stopped them are not exotic, and the same gaps exist in almost every organisation we look at. The only thing keeping smaller orgs out of the headlines is that they are less interesting to chase down for a £30 million ransom. They are not less reachable.
What the attackers actually did
The publicly reported facts are now reasonably clear. Scattered Spider - a young, English-speaking, social-engineering-first crew - identified a route into M&S that ran through Tata Consultancy Services, a long-standing IT supplier. They impersonated employees on calls to the IT helpdesk and got password resets on accounts they should not have been able to touch. With those credentials in hand they pivoted into M&S's domain, escalated, deployed ransomware, and exfiltrated customer data including names, contact details, dates of birth and order history. M&S quietly ended its service-desk contract with TCS later in the year. Both parties say the timing was coincidental.
Ten days after M&S, the Co-op confirmed an attack of its own that ultimately affected around 6.5 million members. Harrods was hit twice during the same window, the second time through one of its third-party vendors, with about 430,000 customer records exposed. The same playbook, the same kind of supplier-shaped front door.
Why this is a small-organisation problem too
It is tempting to read the M&S story as a big-retail problem. It is not. The four ingredients that made the attack succeed are present in almost every smaller organisation we audit:
- A help desk - in-house or outsourced - that can reset credentials on the basis of a phone call, with verification questions a determined attacker can answer in five minutes from LinkedIn and a payslip leak.
- A supplier list nobody can produce in full, where at least one supplier has standing privileged access to email, file storage, or identity systems.
- An Active Directory or Entra ID estate where a single compromised admin account can be turned into domain dominance in an afternoon.
- A business-continuity plan that assumes the systems will be back tomorrow, rather than a plan that assumes they will not.
The 2025/2026 Cyber Security Breaches Survey we wrote about earlier this week shows just how thin the supplier-side defences are: only about 15% of UK businesses formally review the cyber posture of their immediate suppliers, and just 6% review the wider chain. For micro businesses the immediate-supplier figure is around 11%. M&S spent the year showing what happens when one of those suppliers is the way in.
Schools, councils and NHS bodies have a particular reason to pay attention. The Government's signalled ban on public-sector ransomware payments is on track to land before the end of 2026. When it does, the option to pay your way back online stops existing. Recovery has to actually work, and recovery in the M&S case took weeks, not days, even with deep pockets and outside help on retainer.
The five things to change in the next ninety days
This is the action list we would give a school IT lead, a charity head of operations, or an SMB owner asking the M&S question - "could that happen here, and what would I do differently?". None of these are exotic. All of them are cheap.
1. Lock down the helpdesk reset path. Decide, in writing, what proof a service desk needs before it resets a privileged credential or removes an MFA factor. A callback to a known number, an in-person verification, a manager attestation - pick the controls that fit the org. The point is that "I sound senior on the phone" is not on the list. If your helpdesk is outsourced, that policy needs to be in the contract, not in the supplier's standard runbook.
2. Produce the supplier list. Sit down for an hour and write out every external party that holds an account in your environment - MSPs, payroll, CRM, finance, the photocopier vendor, the trip-booking platform, the parent communication tool. Mark the ones with privileged access. The exercise alone usually surfaces three or four accounts nobody remembered. Once you have the list, ask each privileged supplier two questions: how do they verify a password reset request from someone claiming to be your staff, and what would they do in the first hour of a confirmed compromise on their side.
3. Treat Active Directory or Entra ID as a crown jewel. That means tiered admin accounts, no day-to-day browsing or email from privileged sessions, MFA on every admin path, monitoring on Domain Admin and Global Admin group changes, and an actual recovery plan for the directory itself. If your domain controller backups have not been restored in a tabletop in the last twelve months, they may as well not exist.
4. Tabletop the offline scenario. Pick an afternoon. Pretend the email, the file shares, the finance system and the identity provider are all gone for a week. How do you pay people, take payments, run the school day, talk to parents, communicate with each other? The lesson the retail sector pulled out of the M&S incident - "make sure you can run on pen and paper" - is exactly the right test. Most organisations fail it the first time and fix the worst gaps cheaply.
5. Map your obligations against Cyber Essentials v3.3 'Danzell'. The April 2026 changes - the first auto-fail questions in the scheme's history - explicitly tighten the screws on supplier accounts, default credentials and unsupported software. If you hold or are working towards Cyber Essentials, going through your supplier list against the new question set is a one-day exercise that doubles as part of your renewal prep.
What this looks like done well
A school we worked with last year ran exactly this exercise after the news from M&S broke. Within a fortnight they had a written helpdesk verification policy, a deduplicated supplier list with three privileged accounts retired, and a tabletop run with the senior leadership team that surfaced two missing recovery procedures. None of it cost more than a few days of staff time. None of it would prevent every attack. All of it would have made a Scattered-Spider-style intrusion materially harder, and the recovery materially faster.
The honest summary is this: the M&S story is not really a story about M&S. It is a story about how cheap it is to walk into a modern enterprise through the human side of an outsourced service desk, and how expensive the bill is on the way out. A year on, the question for every UK organisation that uses suppliers - which is all of them - is whether the four ingredients above are still sitting on the shelf.
If you would like a hand running the supplier review or the offline tabletop, our cybersecurity resilience service is built around exactly this kind of work, and a discovery call is the fastest way to start.