When Marks & Spencer fell victim to a devastating cyber-attack in April 2025, the question on everyone’s lips was “How could this have happened?” Six months later, attentions have turned instead to dissecting what – if anything – could have prevented the £300 million disaster.
The high-profile breach, linked to the notorious Scattered Spider group, is the perfect example to help expand on some of the points we raised in our last blog on vulnerability management (which you can read here).
Here’s how M&S’s preparations likely impacted the attack, and what lessons small to medium-sized businesses can learn about avoiding a similar incident in their own organisation.
What Exactly Happened to M&S?
The M&S breach wasn’t your typical smash-and-grab cyber-attack. The retail outlet’s network was initially breached in a “sophisticated impersonation attack” that ultimately led to a ransomware attack.
It all started in February with a social engineering campaign targeting M&S’s third-party IT service provider, Tata Consultancy Services (TCS). The threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee’s password.
This wasn’t a simple phone call – investigators described it as a sophisticated operation that convinced well-trained helpdesk staff to reset administrator-level credentials.
We won’t bore you with the details of what the attackers did once inside the network. What you need to know is they managed to gain the passwords needed to infiltrate M&S’s Windows domain entirely without detection.
The final blow came in April when the attackers deployed DragonForce ransomware on M&S’s virtual machines, encrypting their critical systems and bringing operations to a standstill.
How Vulnerability Management Could Have Helped
Effective vulnerability management might have significantly reduced the chances of this attack succeeding through several key areas:
Third-Party Risk Assessment
One of the fundamental principles of cyber security is understanding your supply chain vulnerabilities. M&S’s breach highlights how attackers increasingly target the weakest link rather than the strongest. A robust vulnerability management program would have included regular assessments of TCS’s security posture, identifying weaknesses in their helpdesk procedures and authentication controls.
For SMB cyber security, this lesson is particularly relevant. Small and medium businesses often lack the resources for comprehensive vendor assessments, but even basic due diligence can identify glaring vulnerabilities in third-party systems.
Privileged Access Management
The attackers’ ability to escalate from a helpdesk reset to domain administrator privileges reveals critical gaps in access controls. Proper vulnerability management for SMBs should include regular reviews of who has administrative access and under what circumstances those privileges can be modified.
M&S’s case demonstrates the danger of allowing external service providers to reset high-privilege accounts without additional verification steps. A vulnerability management framework would have flagged these excessive permissions as high-risk items requiring immediate remediation.
Network Segmentation and Monitoring
The long dwell time – months between initial compromise and the ransomware deployment – suggests insufficient network monitoring and segmentation.
Best-practice vulnerability management includes not just patching known flaws but also implementing detection capabilities to spot behaviours that are technically legitimate but behaviourally suspicious. For example, while VP Matthew might have the necessary permissions to access confidential client banking information, “him” doing so at 3am on a Sunday morning should raise alarms.
Advanced threat detection, a core component of modern cyber security strategies, could have identified the unusual patterns as attackers moved through M&S’s network and accessed sensitive files.
Why M&S Was Still Vulnerable Despite Their Resources
It’s important to acknowledge that M&S, as a major retailer with significant cyber security investments, likely had many protective measures in place. They’d even tripled their tech spending in the last three years, yet they still fell victim to this attack.
This reality highlights a crucial limitation of traditional vulnerability management: it primarily focuses on technical vulnerabilities while attackers increasingly exploit human and procedural weaknesses. The M&S breach succeeded not because of unpatched software or misconfigured firewalls, but through sophisticated social engineering that convinced legitimate personnel to provide access.
Lessons for SMB Vulnerability Management
The M&S breach offers several key insights on minimising vulnerabilities for SMBs:
Human Factors Are Critical
Technical vulnerability scanning must be combined with social engineering awareness training. The most sophisticated security tools won’t help if attackers can simply email your staff and ask them to send that next invoice to a “new” bank account.
Third-Party Risk Is First-Party Risk
Every vendor with system access represents a potential attack vector. SMBs should implement vendor security assessments as part of their vulnerability management program, even if those assessments are more limited than what large enterprises can afford.
Never underestimate the target on your back, nor what just a few proactive steps can do to reduce it.
Detection Matters as Much as Prevention
While preventing breaches is ideal, the M&S case shows that attackers can operate undetected for months. Your cyber security strategy should include monitoring capabilities to identify suspicious network activity and privilege escalation.
Recovery Planning Is Essential
Having clear processes in place before an incident ensures faster, more confident recovery.
Research shows that the quality of the recovery process is the most important factor in maintaining customer trust after a breach, so even when mitigating the risks can’t eliminate them completely, demonstrating your preparedness and ability to swiftly restore services will help shield your reputation in the wake of cyber-attacks.
Our Verdict?
Ultimately, while vulnerability management might not have prevented the M&S breach entirely, it remains a critical foundation for cyber security resilience regardless of your business size.
The key is recognising that modern cyber security for SMBs must address human factors and supply chain risks, not just technical flaws.
In an era where attackers increasingly exploit trust relationships rather than software bugs, this broader perspective is the best way to ensure effective protection and recovery.
Want to speak to an expert about vulnerability management for your business? Get in touch today.
