Richard O’Donoghue – stock.adobe.com
The recent cyber attack on M&S has prompted some profound soul-searching about brands’ vulnerability in a dangerous digital space. We canvassed industry leaders about what lessons can be learned.
In 2025, no brand, regardless of its heritage or customer loyalty, is immune to cyber threats. This April, we saw a very public example of that when Marks & Spencer—one of Britain’s most beloved high street retailers—fell victim to a series of cyberattacks.
This wasn’t just a shocking example of large-scale criminal activity. It was also a stark reminder of how quickly a brand’s reputation can be placed in jeopardy. Three weeks after the attack, the retailer continues to grapple with its aftermath, with online orders still suspended and customer data compromised.
So, what lessons does this offer to legacy brands navigating an increasingly treacherous digital landscape? We asked leaders from the creative industry for their thoughts.
What happened?
First, though, let’s remind ourselves what actually happened. The trouble began over the Easter weekend when M&S experienced difficulties with contactless payments and click-and-collect orders. By 23 April, CEO Stuart Machin confirmed the company was dealing with a cyber incident, and two days later, M&S suspended all orders through its website.
The attack has since been attributed to ‘Scattered Spider’, a splinter group of the hacking collective Lapsus$, which has previously targeted high-profile organisations, including Transport for London and MGM Resorts. The sophistication of the attack has left M&S struggling to restore normal operations even weeks later.
This Tuesday (13 May), the situation worsened when M&S revealed that personal customer data had been stolen in the breach. The compromised information could include telephone numbers, home addresses, dates of birth and online order histories. While the retailer emphasised that no usable payment details or account passwords were taken, the incident has raised serious concerns about identity fraud for its customers.
The financial impact has also been substantial, with analysis from Bank of America Global Research estimating that the retailer is losing approximately £43 million per week in sales. Moreover, M&S is reportedly preparing to make a cyber insurance claim that could total as much as £100 million.
How has it damaged the brand?
For a legacy retailer like M&S, though, the impact extends far beyond immediate losses. The sustained disruption has placed significant strain on customer loyalty and trust, two cornerstones of its long-established brand identity.
salarko – stock.adobe.com
With an estimated 9.4 million active online customers affected, the scale of the reputational damage is immense. The company’s inability to process online orders for weeks has not only frustrated customers but also raised questions about its digital preparedness.
“This should act as a stark reminder for other brands of the importance of building brand resilience,” says Dave Mayer, senior partner for marketing and customer strategy at Lippincott. “While hacks are more frequent than ever, this sustained attack and suspension of online ordering has placed a significant strain on customer loyalty for the brand.”
The importance of brand equity in a crisis
At the same time, there is some good news for the retailer. “Our research tells us that M&S is a ‘comfort’ brand, a brand loved by its customers,” Dave points out. “And comfort brands are usually forgiven when things go wrong.”
Here’s where the importance of brand equity comes in. “For M&S, the ability to bounce back from crises like these hasn’t been built overnight,” Dave notes. “It comes from the consistent implementation of long-term brand-building techniques to boost affinity, trust and loyalty with their customers. Coupled with open and honest communication, M&S has chartered these turbulent waters with success thus far.”
Sue Benson, founder and CEO of The Behaviours Agency, agrees that M&S appears to be weathering the storm better than many would expect. “The attack has undoubtedly caused disruption and impacted sales, but brand trust has remained remarkably stable,” she explains. “This resilience speaks to M&S’s legacy and long-standing reputation, which appear to have shielded it from long-term damage.
“From a behavioural science perspective, the principle of reciprocity is key: M&S’s history of delivering customer satisfaction is now being repaid with trust and loyalty. Lesser-known brands may not have been shown the same grace.”
Crisis management: communication as a key tool
That doesn’t mean, of course, that things aren’t extremely challenging for M&S right now. “In these moments, brand management must shift gears rapidly,” says Lewis Jones, managing partner at Coley Porter Bell. “Transparency becomes a brand’s most powerful tool. The design and delivery of information, rooted in the clear expression of a brand’s values, is vital.”
He stresses that the message itself and the way information is delivered are critical. “If a crisis hub is hard to find, visually inconsistent, the tone of voice is unsympathetic and off-brand, or updates are buried in poorly structured pages, the brand’s reliability erodes further. Strong brand design can bring order to chaos, signpost clarity, reinforce identity, offer reassurance in a moment of doubt, and maintain consumer confidence.”
chrisdorney – stock.adobe.com
In short, this is no time to innovate or start changing the brand’s story. As Charlotte Black, chief strategy officer at Saffron Brand Consultants, says: “What’s critical is returning to the original commitments brands have made to customers and delivering communications in that same style. A crisis is no time to deviate.”
So far, it seems that M&S has been following such advice, with CEO Stuart Machin personally communicating with customers about the breach. In his statement, he acknowledged that “unfortunately, some personal customer information has been taken” while reassuring customers that there was “no evidence that the information has been shared”.
The company has also taken proactive steps by emailing all website users, prompting customers to reset account passwords “for extra peace of mind,” and reporting the case to relevant authorities. This approach aligns with what Charlotte describes as “staying true to its distinctive brand voice, with a flexible tone that effectively matches the circumstance.”
Learning from past examples
Of course, M&S isn’t the first brand to fall victim to criminal actions, and there are valuable lessons to be drawn from previous incidents. Sue points, for example, to British Airways’ response to its 2018 data breach as an example of how to do things right. “Full-page apologies leaned on transparency and the honesty bias, reducing uncertainty and reinforcing sincerity,” she recalls. “BA also tackled loss aversion by reassuring customers and outlining preventive measures, something M&S would do well to follow.”
As M&S works to restore its systems and services, the focus will ultimately shift from crisis management to rebuilding customer confidence. Dave recommends that “beyond better cybersecurity, M&S will benefit from continuing its communication with its shoppers and working to rebuild the goodwill it’s just drawn down, with a thank-you to current and recently lapsed shoppers.”
Five key lessons
Here are five essential lessons for legacy brands facing similar crises.
1. Invest in brand resilience before crisis strikes: As Lewis puts it, “Trust isn’t built in a single moment. It’s the result of years of consistent investment in the brand and the development of well-managed brand systems across the entire business.”
2. Maintain authentic communication: Charlotte emphasises that brands must communicate in line with their established values and voice. “Defining and living up to brand values and having a clear voice with an adaptable tone is how brands weather these sorts of storms,” she reasons.
3. Deploy transparency as a strategic tool: Lewis highlights how the delivery of information in a crisis is critical: “This is where brand values, expression, and UX come into their own.” So, clear, accessible, and empathetic communication about what happened, what the company is doing about it, and how customers might be affected is essential.
4. Acknowledge the impact on customers: It’s crucial to recognise and address customer frustrations directly. Sue notes how “with online sales still paused after 17 days, customer frustration is rising. M&S must not rest on its laurels”.
5. Use crisis as a catalyst for improvement: Dave suggests that recovery should include not just fixing the immediate problem but strengthening the brand’s overall value proposition. For M&S, this means considering “new ways to not only be loved but also provide products and services that shoppers can’t get anywhere else”.
Conclusion
The M&S cyberattack serves as a powerful case study of how legacy brands can leverage their heritage and customer loyalty during times of crisis. While the incident has undoubtedly damaged the retailer financially and operationally, the brand’s deep reserves of trust have provided a cushion that many newer companies would not enjoy.
As Charlotte puts it: “This is when ‘brand’ becomes a real asset. If a business has the right foundational tools in place, it has the guidance it needs to navigate both good times and bad.” The lesson is clear: brand building is not just about driving sales during good times; it’s about creating resilience for the inevitable storms. The true test of a legacy brand is not whether it can avoid crises altogether but how effectively it can deploy its accumulated trust and goodwill when disaster strikes.
In a world where cyber threats continue to evolve in sophistication, this resilience is not merely advantageous; it’s essential. The M&S case demonstrates that while no brand is impervious to attack, those with strong foundations can emerge from even the most significant challenges with their core identity intact.