The recent cyber attack on Marks & Spencer reportedly involving a third-party payroll provider, is a sobering reminder that no retailer is immune to today’s complex digital threats.
There’s a temptation to view this purely as an IT failure, but that’s missing the wider point.
In today’s climate, with increasingly sophisticated attacks and a complex web of third-party systems, the question isn’t if a breach will occur, it’s how well you respond when it does.
News that Thompsons Solicitors Scotland is pursing compensation claims against Marks & Spencer over the Easter weekend cyber attack exposed customers’ personal data shows just how vulnerable businesses are when sensitive information is compromised.
We’re now seeing a shift in public and legal expectations. Retailers must prove they took reasonable steps to prevent breaches and responded quickly. When customers or employees feel kept in the dark, reputational damage and claims follow.
What is at stake isn’t just data, it is trust, business continuity, and brand reputation. And with customer and employee data often managed through third-party platforms, managing supplier risks is now a critical part of staying cyber safe.
At Clarke Willmott, we’re working with retailers to put end-to-end incident response plans in place, from assessing the breach, reporting to the board and the Information Commissioner’s Office (ICO), to legally reviewing third-party contracts and drafting clear public messaging.
This isn’t about pointing fingers. Think of it like fire safety. You hope never to need your emergency plan, but when the alarm sounds, it’s too late to write one.