top of page
AAA's logo
  • Facebook
  • Twitter
  • Linkedin
Search

When the Website Goes Dark: Why ISO 27001 Matters After the M&S Cyberattack

  • russell844
  • 1 day ago
  • 3 min read
Boys walk past a market stall and a store with a "Marks & Spencer" sign. One gives a thumbs up. "Buy now, collect later" sign visible.

In April-May 2025, UK retail giant Marks & Spencer experienced a significant cyber incident. On 25 April the business halted online orders after what it described as a “sophisticated” cyberattack.


The breach compromised some customer personal data including contact details and dates of birth, though M&S reported no payment details or passwords were taken.


The financial impact was substantial. Analysts estimated a profit hit of at least £30 million, with weekly losses around £15 million during the disruption.


In short: a high‑profile retailer, disrupted systems, customer trust shaken, brand value under pressure.


The Challenge: What Went Wrong


  • The attack reportedly began via a third‑party contractor or service provider, underscoring the risk of supply‑chain or vendor vulnerabilities.

  • Once systems were compromised, M&S had to suspend online ordering and apparently take its e‑commerce operations offline - indicating that business‑critical systems lacked sufficient segregation or resilience.

  • Data loss (though not payment data) indicates that authentication, access controls, and monitoring were insufficient to prevent the attacker from reaching sensitive data.

  • The disruption extended beyond just theft: the operational impact - inability to sell online, process click‑and‑collect, loss of reputation - shows how a cyber incident can cascade into business continuity and customer service failures.


How ISO 27001 Could Have Helped


ISO 27001 provides a risk‑based Information Security Management System (ISMS). In the context of M&S, here are areas where the standard would have helped:


1. Context of the Organization and Leadership (Clauses 4 and 5):

M&S would have formally defined its external and internal issues - including third‑party supplier risk, online ordering systems, and customer trust as strategic assets. Leadership commitment ensures that information security is not delegated to IT alone, but embedded at board level.


2. Risk Assessment & Treatment (Clause 6):

The breach illustrates a vendor/supply‑chain weakness. Under ISO 27001, M&S should have assessed risks from third‑party access, identified likelihood and impact, then selected appropriate controls (such as robust vendor access management, contractual security requirements, regular audits of third‑parties).For example: restricting admin access to critical systems, ensuring multi‑factor authentication for vendor access, network segmentation so a breach in one service doesn’t cascade.


3. Controls and Operation (Clause 8):

Operational controls could include: strong access control, logging/monitoring of vendor activity, segmentation of e‑commerce and backend order systems, incident response plans, backup and continuity plans. In M&S’s case the inability to process online orders suggests that continuity and resilience plans may not have been fully tested or implemented.


4. Monitoring, Measurement, Analysis & Evaluation (Clause 9):

ISO 27001 demands monitoring of incidents, near‑misses, and metrics such as number of vendor access incidents, time to detect intrusions, time to respond. Regular audits and reviews would identify creeping weaknesses (e.g., slow patches, escalating vendor alerts) before large‑scale compromise.


5. Improvement (Clause 10):

When an incident or near‑miss occurs, you must learn, fix root causes, update controls. M&S could have used prior smaller incidents (if any) as triggers to tighten supplier access, update configuration, verify resilience - reducing the chance of a major event.


What Could Have Been Different


Imagine if M&S had been operating under a mature ISO 27001 ISMS:


  • The third‑party vendor interface would have been tightly controlled with audit logs and periodic reviews.

  • Online ordering systems would be logically segmented from other internal systems, so that a breach in one area would not compromise the entire retail operation.

  • Incident detection systems would alert early to unusual vendor logins or access patterns, triggering immediate containment before large‑scale disruption.

  • The board would review security metrics monthly and escalate when vendor access incidents or near‑misses appeared.

  • The online operations continuity plan would kick in, meaning the retailer might have kept at least some e‑commerce operations running, reducing the size and duration of lost sales.


Why It Matters to UK Businesses in 2025


  • According to the UK government’s Cyber Security Breaches Survey 2025, cyber‑incidents remain highly prevalent across UK businesses.

  • The National Cyber Security Centre (NCSC) reported more than 200 “highly significant” cyber‑attacks in the year to August 2025 - more than double the previous year.

  • For customer‑facing businesses like retail, data and operational disruption affect not just recovery costs but brand trust and competitive position.

  • ISO 27001 isn’t just for large firms - it provides a framework that any business (including those with third‑party vendor exposure) should adopt to structure their information security response.


If your organisation handles customer data, relies on online operations, or uses external vendors, ISO 27001 offers a blueprint to protect your business from what M&S experienced. The question isn’t whether you’ll be targeted - but when. Are your systems ready?


Don't wait any longer. Sign up to a Certification Audit with AAA and take the first step towards achieving ISO 27001 certification.

 
 
 

Comments

bottom of page