Introduction
In April 2025, British retail giant Marks & Spencer (M&S) faced a significant cyberattack that disrupted its operations and highlighted vulnerabilities in third-party risk management. The breach, attributed to the hacking group Scattered Spider, exploited login credentials from employees of Tata Consultancy Services (TCS), a third-party IT services provider. This incident underscores the critical importance of robust vendor risk management strategies in today's interconnected business environment.
The attack led to the suspension of M&S's online services, affecting customer access and resulting in an estimated £300 million loss in profits. Despite M&S's substantial investments in cybersecurity, the breach occurred through social engineering tactics targeting a third-party contractor, emphasizing that an organization's security is only as strong as its weakest link.
This article delves into the specifics of the M&S breach, analyzes the systemic weaknesses it revealed, and provides strategic recommendations for enhancing vendor risk monitoring and AI-augmented third-party risk management. By examining this case, organizations can glean valuable insights to fortify their defenses against similar threats.
Incident Overview: What Happened at Marks & Spencer
In April 2025, Marks & Spencer (M&S) experienced a significant cyberattack that disrupted its operations and highlighted vulnerabilities in its third-party risk management. The breach was attributed to the hacking group Scattered Spider, which exploited login credentials from employees of Tata Consultancy Services (TCS), a third-party IT services provider. This social engineering attack allowed the hackers to bypass M&S's digital defenses and gain unauthorized access to its systems.
The cyberattack led to the suspension of M&S's online services, affecting customer access and resulting in an estimated £300 million loss in profits. Despite M&S's substantial investments in cybersecurity, the breach occurred through human error at a third-party contractor, emphasizing the importance of robust vendor risk management strategies.
In response to the attack, M&S halted online sales and anticipated full service restoration by July. The UK’s National Crime Agency is investigating the incident, and M&S has involved cybersecurity experts to assist in recovery efforts. The company emphasized the need for vigilance against increasingly sophisticated cyber threats and plans to expedite IT upgrades over the next six months.
Root Cause Analysis: Where the Risk Management Failed
The cyberattack on Marks & Spencer (M&S) in April 2025 exemplifies the cascading consequences of third-party failures in vendor risk management. While M&S had invested heavily in internal cybersecurity, attackers gained access through Tata Consultancy Services (TCS), a third-party IT services provider. This breach pathway underscores a growing vulnerability in modern enterprises—outsourced risk exposure.
The root cause was not a direct system vulnerability in M&S but rather an absence of layered defense controls within the third-party relationship. Attackers impersonated TCS employees, leveraging vishing techniques to trick M&S’s internal support staff into resetting passwords. This tactic bypassed conventional perimeter defenses and multifactor authentication protocols. It also revealed a significant oversight: the lack of verification logic in identity recovery workflows for vendor personnel.
A further breakdown occurred in how M&S conducted vendor assessments. While due diligence may have been performed at onboarding, there is no indication that security posture reviews were ongoing. Continuous assurance—particularly for vendors with privileged access—was absent or inadequate. Organizations must move beyond static onboarding questionnaires to real-time assessments, as described in the Vendor Risk Assessment Guide.
Additionally, it’s likely M&S did not have a dedicated capability for live vendor monitoring. Had continuous telemetry been applied—such as AI-based behavioral analytics or endpoint detection—it’s possible early indicators of compromise could have been detected. This aligns with principles detailed in the Continuous Vendor Risk Monitoring Guide, which emphasizes active tracking of network behavior, credential use, and anomalous access events.
Moreover, the incident response plan (IRP) was reportedly reactive. Though executive-level tabletop exercises had been conducted within the past year, the response to the TCS-related breach revealed delayed containment, insufficient pre-established playbooks for third-party breaches, and uncoordinated communication between IT, legal, and external vendors. A well-designed IRP would have incorporated escalation paths and isolation protocols specific to vendor-originated threats.
Finally, this breach underscores the lack of integrated governance between internal and external risk functions. Too often, internal risk and vendor risk are managed in silos. The attacker’s success was due in part to that organizational fragmentation. As explained in Integrating Internal and Vendor Risk, aligning these disciplines ensures that vendors are treated not just as suppliers, but as extended parts of the enterprise threat surface.
The M&S breach offers more than a cautionary tale—it’s a directive. Organizations must rethink how vendor relationships are architected, monitored, and governed, especially when those vendors play strategic roles in service delivery, infrastructure, or IT administration.
The Third-Party Problem: Systemic Weakness in 2025
The Marks & Spencer breach was not an isolated event—it was a manifestation of a broader, systemic weakness that has taken root across the global supply chain. In 2025, organizations are more digitally connected than ever, yet most still lack a defensible strategy for managing risk across their third-party ecosystem. The M&S incident simply spotlighted what has already become a pattern: well-resourced attackers are targeting the weakest vendor link rather than confronting hardened enterprise security perimeters directly.
According to insights published in Vendor IT Risk Trends 2025, over 63% of breaches now originate from indirect sources—contractors, vendors, or partner systems that have implicit or explicit access to internal networks. The complexity of third-party relationships is also expanding, with organizations relying on hundreds (or thousands) of service providers, many of which are subcontracted or managed by other vendors, obscuring the true depth of the risk chain.
This fragmentation makes it incredibly difficult to establish end-to-end visibility. Even companies with mature GRC functions often lack centralized registries of all their third-party integrations, let alone real-time security telemetry from those sources. Attackers like the Scattered Spider group exploit these blind spots by identifying overlooked vendors with high access privileges and minimal scrutiny.
Another rising concern in 2025 is the proliferation of Shadow SaaS and unsanctioned vendor tools, often onboarded without security team awareness. The growth of low-code and self-service IT has made it easier for business units to procure services independently—creating invisible threat surfaces. The article Shadow SaaS Risk Management describes this well: traditional vendor onboarding processes can't keep pace with decentralized procurement habits.
Additionally, the accountability model for third-party breaches remains murky. When attacks stem from vendor systems, many organizations struggle with response coordination, contractual enforcement, or even determining whether the breach requires disclosure. This is exacerbated by inconsistencies in global regulatory regimes and a lack of standardized expectations around third-party cybersecurity posture.
As the Third-Party Breaches & Vendor Risk piece notes, 2025 has seen a marked increase in coordinated supply chain attacks that rely on vendor impersonation, token theft, and software update poisoning—all of which circumvent traditional perimeter defenses.
Addressing this systemic vulnerability requires more than technical tooling. It demands a cultural shift in how organizations perceive and govern external risk. Every vendor relationship must be treated as a potential intrusion path, and risk mitigation must extend beyond contracts to real-time observability, dynamic scoring, and strategic accountability across procurement, legal, security, and compliance.
What M&S Could Have Done Differently
The cyberattack on Marks & Spencer (M&S) in April 2025 exposed significant vulnerabilities in third-party risk management, despite the company's substantial investments in cybersecurity. The breach, attributed to the hacking group Scattered Spider, exploited login credentials from employees of Tata Consultancy Services (TCS), a third-party IT services provider. This incident underscores the critical importance of robust vendor risk management strategies.
One of the primary areas where M&S could have improved is in the implementation of comprehensive identity and access management (IAM) protocols. The attackers employed social engineering tactics to deceive IT workers into resetting passwords, allowing unauthorized access to M&S's systems. Implementing multi-factor authentication (MFA) and enforcing strong password policies could have mitigated this risk. Regular auditing of user access privileges is also essential to ensure that individuals only possess the necessary permissions for their specific roles, minimizing potential attack surfaces.
Additionally, M&S's incident response plan (IRP) revealed shortcomings. Reports suggest that while the company had conducted executive-level drills within the past year, the actual response to the breach was hampered by insufficient planning and preparedness. Developing a well-designed IRP that incorporates escalation paths and isolation protocols specific to vendor-originated threats is crucial. This includes regular tabletop exercises to rehearse responses to evolving cyber threats, ensuring teams are confident and prepared to mitigate damage effectively.
Furthermore, the breach highlights the necessity for continuous vendor risk monitoring. While due diligence may have been performed at onboarding, there is no indication that security posture reviews were ongoing. Continuous assurance, particularly for vendors with privileged access, is vital. Organizations must move beyond static onboarding questionnaires to real-time assessments, leveraging AI-based tools and industry frameworks such as NIST and ISO 27036 for proactive vendor risk management.
The incident also emphasizes the need for integrating internal and vendor risk management strategies. Often, internal risk and vendor risk are managed in silos, leading to organizational fragmentation. Aligning these disciplines ensures that vendors are treated not just as suppliers, but as extended parts of the enterprise threat surface. This integrated approach enhances the organization's ability to detect and respond to threats originating from third-party relationships.
In conclusion, the M&S breach serves as a stark reminder that even with substantial internal cybersecurity measures, organizations remain vulnerable through their third-party relationships. By implementing robust IAM protocols, developing comprehensive IRPs, continuously monitoring vendor risks, and integrating internal and vendor risk management strategies, organizations can fortify their defenses against similar threats.
Tools, Frameworks, and Technologies to Strengthen TPRM
In the wake of the Marks & Spencer (M&S) cyberattack, it becomes imperative to examine the tools, frameworks, and technologies that can fortify Third-Party Risk Management (TPRM) practices. The breach, which exploited vulnerabilities in a third-party IT services provider, underscores the necessity for robust TPRM strategies that encompass continuous monitoring, risk assessment, and compliance management.
One of the foundational frameworks for TPRM is the NIST Cybersecurity Framework, which provides guidelines for identifying, assessing, and mitigating cybersecurity risks. This framework emphasizes the importance of understanding the organization's supply chain and implementing appropriate controls to manage third-party risks. Additionally, the ISO/IEC 27036 standard offers guidance on managing information security risks associated with supplier relationships, focusing on the protection of information within these partnerships.
Technological advancements have introduced a plethora of tools designed to enhance TPRM. Platforms like UpGuard offer comprehensive solutions for third-party risk assessment, providing continuous monitoring of vendors' security postures and facilitating real-time risk identification. These tools utilize automated assessments and security ratings to evaluate vendors across various risk categories, including network security, phishing susceptibility, and data privacy practices.
Artificial Intelligence (AI) and Machine Learning (ML) have become integral in modern TPRM solutions. AI-driven platforms can analyze vast amounts of data to detect anomalies and predict potential risks associated with third-party vendors. For instance, AI can be employed to automate the analysis of security questionnaires, identify patterns indicative of potential breaches, and provide predictive insights into vendors' future risk profiles. This proactive approach enables organizations to address vulnerabilities before they are exploited.
Furthermore, the integration of AI in TPRM extends to automating compliance checks and streamlining the due diligence process. By leveraging AI, organizations can efficiently assess vendors' adherence to regulatory requirements and internal policies, reducing the manual workload and enhancing accuracy. This technological integration ensures that third-party assessments are not only thorough but also timely, adapting to the dynamic nature of cybersecurity threats.
In addition to AI and ML, the adoption of blockchain technology presents opportunities for enhancing transparency and traceability in third-party engagements. Blockchain can be utilized to create immutable records of vendor assessments, contracts, and compliance certifications, thereby ensuring accountability and facilitating audits.
In conclusion, strengthening TPRM necessitates a multifaceted approach that combines established frameworks like NIST and ISO/IEC 27036 with cutting-edge technologies such as AI, ML, and blockchain. By adopting these tools and methodologies, organizations can proactively manage third-party risks, safeguard their operations, and uphold the trust of their stakeholders.
Global Regulatory Response to Third-Party Breaches
The proliferation of third-party data breaches has prompted a significant global regulatory response in 2025. Recognizing the systemic risks posed by interconnected digital ecosystems, regulators worldwide are implementing stringent measures to enhance cybersecurity resilience and accountability across supply chains.
In the European Union, the Digital Operational Resilience Act (DORA) came into effect in January 2025, mandating that financial entities and their critical third-party service providers ensure robust operational resilience against ICT-related disruptions. DORA requires comprehensive risk management frameworks, regular testing, and incident reporting within 24 hours, emphasizing the importance of third-party risk oversight.
Complementing DORA, the NIS2 Directive expands the scope of cybersecurity obligations to a broader range of sectors, including energy, transport, and healthcare. NIS2 enforces stricter supervisory measures, enhanced information sharing, and harmonized incident notification requirements across EU member states, thereby strengthening the collective cybersecurity posture.
In the United Kingdom, the proposed Cyber Security and Resilience Bill (CS&R) aims to update existing regulations by imposing mandatory compliance with established cybersecurity standards. The bill introduces compulsory ransomware reporting, mandates regular audits, and extends regulatory oversight to a wider array of organizations, including managed service providers and data center operators.
The United States has also intensified its regulatory framework. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure entities to report significant cyber incidents within 72 hours. Additionally, the Securities and Exchange Commission (SEC) mandates timely disclosure of material cybersecurity incidents by public companies, holding executives accountable for failures in cybersecurity governance.
In Asia, China's Personal Information Protection Law (PIPL) has been bolstered by the introduction of compliance audit measures effective from May 2025. These measures necessitate both self-initiated and regulator-mandated audits, ensuring that personal information processors maintain stringent data protection standards and are subject to regular oversight.
Australia has enhanced its data breach notification laws, empowering the Office of the Australian Information Commissioner (OAIC) with stronger enforcement capabilities. Organizations are now required to notify the OAIC and affected individuals of eligible data breaches promptly, with increased penalties for non-compliance.
These regulatory developments underscore a global shift towards proactive cybersecurity governance. Organizations must now adopt comprehensive third-party risk management strategies, incorporating continuous monitoring, rigorous due diligence, and robust incident response plans. Failure to comply with these evolving regulations not only exposes organizations to legal penalties but also undermines stakeholder trust and operational integrity.
Strategic Recommendations for 2025 and Beyond
As organizations navigate the evolving landscape of third-party risk management (TPRM) in 2025, it is imperative to adopt strategic approaches that address emerging challenges and leverage technological advancements. The following recommendations aim to enhance TPRM frameworks, ensuring resilience and compliance in an increasingly interconnected digital ecosystem.
1. Prioritize Comprehensive Vendor Inventories: Establishing and maintaining an accurate inventory of all third-party relationships is foundational. This includes not only direct vendors but also fourth-party entities that may have access to sensitive data or systems. A thorough inventory enables organizations to assess and monitor risks effectively, ensuring that no external relationship is overlooked.
2. Implement Continuous Monitoring Mechanisms: Traditional point-in-time assessments are insufficient in the dynamic threat landscape. Organizations should adopt continuous monitoring solutions that provide real-time insights into vendors' security postures. Tools that offer automated alerts on changes in vendors' risk profiles can facilitate proactive risk mitigation strategies.
3. Leverage Artificial Intelligence and Machine Learning: Integrating AI and ML technologies into TPRM processes can enhance the efficiency and accuracy of risk assessments. These technologies can analyze vast datasets to identify patterns, predict potential vulnerabilities, and automate routine tasks, allowing risk management teams to focus on strategic decision-making.
4. Align with Global Regulatory Frameworks: Staying abreast of international regulations, such as the EU's Digital Operational Resilience Act (DORA) and the UK's Cyber Security and Resilience Bill, is crucial. Organizations should ensure that their TPRM practices align with these frameworks, incorporating requirements like timely incident reporting and robust operational resilience measures.
5. Foster Cross-Functional Collaboration: Effective TPRM necessitates collaboration across various departments, including IT, legal, procurement, and compliance. Establishing cross-functional teams can facilitate comprehensive risk assessments, streamline communication, and ensure that all aspects of third-party risks are addressed cohesively.
6. Develop Robust Incident Response Plans: Preparing for potential third-party breaches involves creating detailed incident response plans that outline roles, responsibilities, and procedures. Regularly testing these plans through simulations can help identify gaps and ensure readiness to respond swiftly and effectively to incidents.
7. Enhance Transparency and Communication with Vendors: Building strong relationships with vendors based on transparency can improve risk management outcomes. Encouraging open communication about security practices, incident histories, and compliance statuses allows for more accurate risk assessments and fosters mutual trust.
8. Invest in Training and Awareness Programs: Educating employees about the significance of TPRM and their roles in maintaining security is vital. Regular training sessions can raise awareness about potential risks, promote best practices, and empower staff to identify and report suspicious activities related to third-party interactions.
In conclusion, as third-party ecosystems become more complex, organizations must evolve their TPRM strategies to address new challenges proactively. By implementing these strategic recommendations, businesses can strengthen their defenses, ensure regulatory compliance, and build resilient partnerships that support long-term success.
Conclusion
The 2025 Marks & Spencer breach was not merely a technical failure—it was a strategic wake-up call for organizations worldwide. Despite significant cybersecurity investments, M&S fell victim to a breach through one of its trusted third-party providers. This incident exemplifies a broader vulnerability shared by many enterprises: overreliance on vendors without proportional oversight and continuous risk governance.
As explored throughout this article, the breach highlights systemic issues such as fragmented third-party oversight, static risk assessments, and underdeveloped incident response playbooks. The key takeaway is that traditional vendor management approaches are no longer sufficient in the face of modern threats, particularly those involving sophisticated social engineering or credential exploitation.
To prevent similar incidents, organizations must rethink and modernize their third-party risk management programs. This includes building real-time visibility across the vendor landscape, adopting AI-driven risk detection tools, and creating adaptive incident response frameworks tailored to third-party breach scenarios.
Moreover, regulatory pressure is mounting. Governments across the globe are tightening compliance requirements and introducing mandates that hold organizations directly accountable for their vendors' cybersecurity posture. Ignoring this regulatory shift is no longer an option—it’s a liability.
Third-party ecosystems will only continue to expand, as will the associated attack surface. As outlined in our article on Third-Party Breaches & Vendor Risk, the need for proactive, integrated, and intelligent risk management strategies is not just a best practice—it is now a baseline requirement.
In closing, the Marks & Spencer breach offers a roadmap for what must change. The organizations that will thrive in the future are not those that simply outsource services, but those that extend their governance to every entity within their digital supply chain. The message is clear: trust must be earned, continuously verified, and never assumed.
No comments:
Post a Comment