M&S had no plans for cyberattack, says company source

'Just a reactive response'

Image:

A company insider says M&S had no continuity plan in place for a hack, and the attackers may still be in the system

A company insider says M&S was totally unprepared for a cyberattack, without even continuity plans in place.

Marks & Spencer (M&S) continues to face intense scrutiny and internal disarray as it deals with the fallout of last month’s cyberattack - and a company insider has revealed that the retailer was entirely unprepared for the incident.

The cyberattack, now in its third week, has forced the suspension of online orders and recruitment processes, leaving both customers and staff in limbo.

The situation behind the scenes is far more bleak than the company has publicly acknowledged, according to a current M&S head office employee who spoke anonymously to Sky News.

"We didn't have any business continuity plan [for this], we didn't have a cyberattack plan," they told Sky News.

"In general, it's lots of stress. People have not been sleeping, people have spent their weekends working, people sleeping in the office – just reactive response."

The employee described an atmosphere of mounting stress and confusion in M&S's headquarters, where staff have been forced to work from personal devices due to fears their official equipment could be compromised.

"We're not even allowed to use our work devices, so we're having to use our personal devices, all sorts of things," they explained.

"It's just impossible to work because anything about the incident, we're not allowed to talk about on Teams, which is our usual way of chatting…so we have to use WhatsApp to talk to each other."

Adding to the tension is a deepening sense of confusion and doubt. Staff are unsure whether the hackers are still actively inside the M&S systems.

"It's possible, that's a possibility," they said.

"I don't know that, and it hasn't been said. But it's a possibility and you want to be careful."

The full extent of the damage remains unclear, but internal estimates suggest it could take "months" for services to return to normal. For now, the company is reportedly planning to restore systems gradually, prioritising essential services in stores and online.

M&S CEO Stuart Machin addressed customers in a statement on Friday, apologising for the disruption and promising that the company was "working day and night" to resolve the crisis.

An M&S spokesperson insisted that, counter to what Sky News heard, the business has "robust business continuity plans and processes" in place, and an experienced incident management team is leading the response.

However, the insider's account paints a different picture: one of ad-hoc decision-making and a lack of coordinated response.

M&S, which employs approximately 65,000 people across the UK, has seen over £650 million wiped from its stock market value since the attack.

The M&S attack comes amid a wider wave of cybercrime targeting UK retailers. In recent days, both Harrods and the Co-op Group have also confirmed breaches, prompting urgent calls from government officials for businesses to treat cybersecurity with the same seriousness as physical security.

In an internal email, Co-op staff were instructed to keep their cameras switched on during all remote work meetings and to meticulously verify the identities of all attendees.

Cabinet Office Minister Pat McFadden is expected to deliver a message at the CyberUK conference in Manchester this week.

"We've watched in real time the disruption these attacks have caused, including to working families going about their everyday lives," he will say.

"It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work, we have to treat our digital shop fronts the same way."