INSIGHT
M&S Cyber attack – a cautionary tale15 July 2025
By Helen Briant
Welcome to the latest edition of Trowers Tech News.
This month, we turn our attention to the evolving cyber threat landscape and the growing urgency for organisations to strengthen their digital defences. From the increasing sophistication of ransomware attacks, now leveraging generative AI and triple extortion tactics, to the systemic risks posed by third-party vulnerabilities, the cyber risk outlook is more complex than ever.
We explore how businesses can build resilience through better risk prioritisation, incident response planning, and staff training. We also examine the UK government's proposed Cyber Security and Resilience Bill and its potential to reshape regulatory expectations, alongside the Home Office’s consultation on ransomware response frameworks.
Finally, we reflect on the high-profile cyber attack on M&S, a cautionary tale that underscores the reputational and operational fallout of cyber incidents, and the strategic lessons all organisations should take on board.
As always, we round up the latest legal tech developments, from AI regulation and fake citation scandals to landmark decisions on copyright and data use.
Top tech trends: The cyber risk outlook and strengthening organisational resilience
One of the key themes that has been emerging over the last few years and which is continuing to develop at pace is the prevalence of ransomware as a way of exploiting both technical and organisational vulnerabilities across a broad range of sectors. In addition to an increase in the number of attacks using ransomware, we are also seeing an increase in sophistication and complexity of these attacks, whether targeting supply chains to increase the likely "hit rate" and potential number of victims, to using Generative AI and social engineering to make phishing emails (or voicemails, videos, text messages) seem more believable and real.
Ransomware attacks have been described by the NCSC as the "biggest development in cybercrime" in the last decade, and we see the impact of these attacks can be debilitating to organisations, causing financial, operational and reputational damage, alongside the risk of litigation, regulatory investigations and fines, and an erosion of public trust.
Whilst law enforcement agencies globally have been able to take a few of the largest hacker groups and forums out of action, the evolution of ransomware "as a service" means that the barriers to entry have lowered: the ransomware code and everything else needed to make it an effective criminal enterprise can be bought off the shelf. Hackers are also becoming more targeted on organisations' key risk areas for maximum impact. So, for example, logistics and manufacturing organisations will be targeted by taking systems off-line and immediately hitting productivity and the bottom line, whereas healthcare and professional services will likely see more data exfiltration as hackers focus on organisational sensitivities such as the risk to personal, sensitive and confidential data. In fact, triple extortion is now becoming more commonplace, where hackers use three different pressure points: first, encrypting data so the organisation cannot access it; second, exfiltrating the data and threatening to release it onto the dark web; and third, pressurising the organisation in another way, either through further attacks, blackmail, or personal pressure on C-suite executives.
With these developments in mind, and the use of ransomware continuing to evolve, cyber resilience must remain a key priority for boards and senior leadership teams across all sectors. Organisations should be taking a closer look at how their internal risk is managed and prioritised and have a clear understanding of their systems, people, key datasets and risk. Alongside technical information security risks, organisations should be continuing to look at the people element of cyber resilience, ensuring that their staff are well trained in what to look out for, where to report suspicions and where and how key decisions are made. Regular Incident Response Plan testing, to bridge the gap between technology and people, policies and procedures will be absolutely key. Awareness of the risks is certainly there, but action is sometimes trailing behind.
Joseph Hannify, Associate and Sanchita Agrawal, Associate
Recent high-profile attacks have demonstrated the catastrophic impact that cyber-attacks can have and this has been coupled with increasing pressure on the UK government to update legislation and regulation to keep pace with the fast paced changes to technology and the cyber-risk landscape which allow such attacks to succeed.
In an attempt to take swift action to address vulnerabilities and protect our digital economy, on 1 April 2025 the government laid out its plans for the Cyber Security and Resilience Bill, which intends to put the UK on a closer footing with the EU's NIS2 which has recently come into force. The detail of the Bill has yet to be published but is expected to:
In January 2025, the Home Office also opened a public consultation on proposed framework for responding to ransomware attacks, following high-profile attacks on the NHS, the Guardian, and the British Library.
The three key proposals are:
The consultation ended on 8 April and the Home Office are currently reviewing the responses. However, it seems that these proposed measures have received mixed press during the consultation process, with questions over how practical it will be to police these proposals, and how effective they would be as tools to reduce criminal profits and enhancing cyber resilience. It remains to be seen if and how this proposal will progress. For more information on these proposals, please see our article – The Home Office considers ransomware legislative proposals
What is clear is that the government is seeking to modernise the UK's cyber defence framework, increase its visibility on the current threat landscape, and looking to create a more resilient digital infrastructure capable of withstanding evolving cyber threats.
In April, M&S was the latest high-profile company to be stung by a cyber incident and the fact that it is still in the news highlights that cyber incidents do not just carry a financial implication, but enormous reputational consequences. For a company that had been doing to so tell to turn it fortunes around, it could not have come at a worse time. So why are we still talking about it months after it happened and what are the key takeaways for onlooking businesses?
The attack on M&S was one of the most disruptive UK retail cyber incidents to date. The company lost nearly two months of online orders in its clothing and home division which has resulted in £300 million of lost profits being reported. It has been reported that 150 GB of customer data has been stolen and although most services have been restored, some areas are not expected to be fully operational until the Autumn. Given the disruption to customers, some of which is understood to be ongoing, M&S may find it difficult to restore customer confidence for a long time to come.
The High Court handed down a judgment outlining its intention to refer the issue to the relevant regulatory bodies. Although the, court emphasises that the decision is 'not precedent' it highlights the need for further intervention from the SRA and the BSB.
AI Working Group set up by the Civil Justice Council following fake citation scandal.
The Convention intends to ensure that AI is consistent with human rights, democracy and the rule of law.
The claimants in personal injury disputes are accused of using data protection remedies to prevent further claims by their insurers.
Eminem suing Meta for copyright infringement for the alleged unauthorised distribution of his music on apps such as Facebook and Instagram.
The paper proposes to reform certain aspects to resolve issues around jurisdiction and recognition of foreign judgments.
The accusation is that Perplexity AI used BBC's contents and news stories to train its generative AI model.
The move further divides politicians from tech executives
An interesting decision in the wake of the passing of the Data (Use and Access) Bill in the UK, as well as the recent, similar, US decision in Anthropic.
The copyright element was abandoned in closing submissions during the trial. The judgment is highly anticipated as a landmark decision in the area.
The tool will resemble the NHS 111 service and looks to assist individuals with questions on costs amongst others
The Bill remains open to criticism in its failure to properly address copyright issues, with the government stating a separate consultation will be carried out.