UK Businesses Lag on Cybersecurity After £300 Million M&S Hack: NCSC
The head of the National Cyber Security Centre (NCSC) has warned that businesses are not doing 'nearly enough' to protect themselves from cyber threats, following a major cyberattack on retailer Marks & Spencer.
Richard Horne, chief executive of the NCSC, said there is a 'widening gap' between the rising threat of cyberattacks and organisations' readiness to defend against them.
Writing in The Times of London, Horne urged businesses to act immediately on the NCSC's publicly available security advice.
'This is effective risk management, and any business leader who thinks they may be exempt from cyber risks should think again — and implement our advice immediately,' he said.
The warning comes as Marks & Spencer confirmed that the expected cost of the cyberattack, which took place around the Easter weekend, is around £300 million.
The breach forced the retailer to suspend online orders and led to the loss of customer data.
Related Stories
7/18/2024
5/9/2025
Speaking to reporters on Wednesday, Marks & Spencer Chief Executive Stuart Machin said hackers had exploited a third-party vendor after a case of 'human error.'
'We didn't leave the door open, this wasn't anything to do with under-investment. Everyone is vulnerable. For us, we were unlucky on this particular day through some human error,' he said.
The high street retail giant said disruption to online shopping could continue into July, adding it is taking proactive measures to minimise the disruption for customers.
The attack is the latest in a wave of cyber incidents affecting major UK retailers. The Co-op and Harrods have also been targeted in recent weeks. The Co-op confirmed last week that it is now 'in the recovery phase' and gradually bringing systems back online.
Breaches Surge, Call Centres Vulnerable
Official figures reveal that half of all businesses and 66 percent of high-income charities reported experiencing a cybersecurity breach or attack in the past 12 months.
The rate is even higher among medium-sized businesses (70 percent) and large businesses (74 percent).
Daniel Teacher, CEO of accounting and finance IT security firm T-Tech, has noted that organisations with extensive customer service operations are especially susceptible to fraudulent phone calls.
This vulnerability arises because call handlers, trained to be helpful, can be manipulated by attackers using targeted tactics to reset multifactor authentication for impersonated individuals.
Teacher also stressed the need for managed security, where organisations can quickly spot and respond to breaches.
'With M&S, they were in the system for days before it was detected,' he said.
A logo is displayed on a television screen in the National Cyber Security Centre in London, on Feb. 14, 2017.Cyber Essentials and Business Resilience
The NCSC has stressed that the cyberattacks on retailers 'should act as a wake-up call to all organisations.'
The NCSC is urging companies to adopt its Cyber Essentials programme, a government-backed certification scheme designed to help companies guard against common threats such as malware, phishing, and hacking.
The scheme is meant for any organisation regardless of size or sector, but the NCSC particularly recommends it to small- and medium-sized enterprises, many of which may lack in-house cyber expertise but remain vulnerable to attacks.
For medium and large organisations, the government has designed the
Lindsay Hill, CEO of Manchester-based cybersecurity firm Mitigo, said the code isn't a legal requirement yet, but the government may make it mandatory later if not enough businesses follow it.
Other measures to strengthen the UK's cyber defences will be laid out in the Cyber Security and Resilience Bill.
The bill, to be introduced in Parliament this year, aims to strengthen the nation's cyber defences by expanding current regulations and mandating more detailed reporting of incidents, including ransomware attacks.
This comes as
A recent report by the Public Accounts Committee said that government resilience is 'substantially lower than the Cabinet Office expected,' with departments having 'multiple fundamental control failures, including risk management and response planning.'
M&S Profits Rise Despite Breach
Marks & Spencer is still struggling with the impact of the cyberattack. The retailer expects increased stock management costs in the second quarter.
The retailer reported a stronger-than-expected performance for the year ending in March, posting an adjusted pre-tax profit of £875.5 million, up 22.2 percent on the previous year.
Group revenues rose by 6 percent to £13.8 billion, driven by an 8.7 percent increase in food sales and a 3.5 percent rise in fashion, home, and beauty sales.
PA Media contributed to this report.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
2 hours ago
- Yahoo
Jordan's Meat Market receives its second award after being in business for three years
LE MARS, Iowa (KCAU) — A young meat entrepreneur has received his second award for the 2025 Best Northwest Meat Locker. The award was given by the N'West Iowa Review. 'It's very proud. I mean, this is a lot to achieve here, and it's a lot going on. It's a lot to take care of, and it takes a lot of hours. But very happy with where I am today,' said Jordan Marks, the owner of Jordan's Meat Market. Owner and operator of Jordan's Meat Market, Jordan Marks, said he's had a passion for meat since he was a kid. 'I've been around it my entire life, my family's been around it their entire lives,' Marks said. 'So, I started back when I was like 14 years old. Then I went to Iowa State for Animal Science, Meat Science.' Right after college, Marks opened his shop in Marcus, Iowa, at the age of 22. 'It was a lot of conversations with the Economic Development Board, [in the] city of Marcus,' Marks expressed. 'So it was a lot of talking, a lot of work on the numbers, seeing if it was attainable. And then once we realized it was attainable, [was] when we basically got right into it and started building and then started working right away.' Marks saw major success at one location, so he decided to expand and open up his second shop in Le Mars. 'Mr. Wells came up to us and said, 'Hey, I might have a building you guys are interested in.' And then yeah, we went with it.' After being open for only three years, Marks has already received two awards for his business. Marks believes this is all possible because of two things. The first being his quality. 'Almost all of our products here are made in-house,' said Marks. 'There are very [few] things that we just buy and sell. Like all of our bratwurst here, we use real ingredients. So, like if it's a pineapple bratwurst, I use actual dehydrated pineapple chunks and not pineapple flavoring. We make our own in-house bacon bits with our end pieces of bacon. I'll grind those up and smoke those. Re-cook those, render them down, and make our own in-house bacon bits.' And second, listening to his customers. 'I take a lot of customer feedback into consideration, and if I feel like a change needs to be made, then I'll make that change. This is a service industry, and if you don't provide the right service or a good enough service, what's driving people to come to your business?' As of right now, Marks has no plans to expand his market, but when the time comes, he hopes to open up in the Siouxland area. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Yahoo
14 hours ago
- Yahoo
HMRC boss ‘regrets' frustrations over £49m phishing scam disclosure
HM Revenue and Customs (HMRC) chief executive John-Paul Marks has told MPs that he regrets any frustration over how information about a breach affecting around 100,000 taxpayers was disclosed. The revenue body has faced criticism and questions over why MPs were not informed earlier about the incident. On June 4, it was disclosed that HMRC had lost £47 million after a phishing scam breached tens of thousands of tax accounts. Following updated information published by HMRC on Tuesday, that figure was revised upwards, to £49 million. Senior civil servants at HMRC told the Treasury Committee that 100,000 people had been contacted, or were in the process of being contacted, after their accounts were locked down in what they said was an 'organised crime' incident which started last year. The Treasury Committee, which held a live session on June 4, wrote to Mr Marks earlier this week, telling him that: 'To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.' During a Public Accounts Committee hearing on Thursday, Mr Marks told MPs: 'We welcome your scrutiny.' Mr Marks described the incident as a 'serious, and (an) unacceptable loss of £49 million to the Exchequer, affecting 100,000 of our customers, which is about 0.2% of the PAYE caseload'. He added: 'Given we collect over £840 billion a year, the judgment on materiality is different for HMRC perhaps than other government departments. 'But nonetheless, I agree with the point with regards (to) disclosure, and I will do that in my annual report, which I will publish next month for the first time, so that is, again, properly done according to the rules under public money. 'The final thing really to say, I do regret if there's been any frustration in terms of our handling of this, that was not our intent at all.' He said he would respond to correspondence he had received this week with more detail. Mr Marks continued: 'I welcome your point, with regards (to) the opportunity to have in-private briefings, the level of security threats is significant and constant. 'The team detected and disrupted this one well. There was a criminal investigation. And in (a) private hearing, I'm happy to bring the head of the fraud investigation service, my chief security officer, to explain more about some of that detail but also the threat environment and the way in which we are ensuring HMRC is secure now and secure for the future as well.' Earlier this week, an HMRC spokesperson said: 'We faced a series of evolving and complex criminal attempts to access online tax accounts and our priority has been to protect customers and their accounts. 'Our customers suffered no financial loss as a result. 'Thorough investigation has been necessary to understand the extent of this activity and pursue the criminals responsible. 'We've worked closely with the Information Commissioner's Office throughout to ensure we met our obligations.'
Yahoo
15 hours ago
- Yahoo
HMRC boss ‘regrets' frustrations over £49m phishing scam disclosure
HM Revenue and Customs (HMRC) chief executive John-Paul Marks has told MPs that he regrets any frustration over how information about a breach affecting around 100,000 taxpayers was disclosed. The revenue body has faced criticism and questions over why MPs were not informed earlier about the incident. On June 4, it was disclosed that HMRC had lost £47 million after a phishing scam breached tens of thousands of tax accounts. Following updated information published by HMRC on Tuesday, that figure was revised upwards, to £49 million. Senior civil servants at HMRC told the Treasury Committee that 100,000 people had been contacted, or were in the process of being contacted, after their accounts were locked down in what they said was an 'organised crime' incident which started last year. The Treasury Committee, which held a live session on June 4, wrote to Mr Marks earlier this week, telling him that: 'To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.' During a Public Accounts Committee hearing on Thursday, Mr Marks told MPs: 'We welcome your scrutiny.' Mr Marks described the incident as a 'serious, and (an) unacceptable loss of £49 million to the Exchequer, affecting 100,000 of our customers, which is about 0.2% of the PAYE caseload'. He added: 'Given we collect over £840 billion a year, the judgment on materiality is different for HMRC perhaps than other government departments. 'But nonetheless, I agree with the point with regards (to) disclosure, and I will do that in my annual report, which I will publish next month for the first time, so that is, again, properly done according to the rules under public money. 'The final thing really to say, I do regret if there's been any frustration in terms of our handling of this, that was not our intent at all.' He said he would respond to correspondence he had received this week with more detail. Mr Marks continued: 'I welcome your point, with regards (to) the opportunity to have in-private briefings, the level of security threats is significant and constant. 'The team detected and disrupted this one well. There was a criminal investigation. And in (a) private hearing, I'm happy to bring the head of the fraud investigation service, my chief security officer, to explain more about some of that detail but also the threat environment and the way in which we are ensuring HMRC is secure now and secure for the future as well.' Earlier this week, an HMRC spokesperson said: 'We faced a series of evolving and complex criminal attempts to access online tax accounts and our priority has been to protect customers and their accounts. 'Our customers suffered no financial loss as a result. 'Thorough investigation has been necessary to understand the extent of this activity and pursue the criminals responsible. 'We've worked closely with the Information Commissioner's Office throughout to ensure we met our obligations.' Sign in to access your portfolio
