What: Marks & Spencer ended a tech partnership in response to a cyber breach that disrupted its operations and digital services.

Why it is important: The move highlights the critical risks associated with third-party technology partnerships in retail, reinforcing the importance of vendor oversight and contingency planning.

Marks & Spencer’s decision to end a technology partnership following a significant cyber attack illustrates the acute vulnerabilities facing retailers in today’s digital landscape. The breach not only disrupted online operations and digital services but also exposed the retailer’s dependence on external technology providers. This incident resulted in substantial operational setbacks and financial losses, underscoring the reputational and commercial risks that accompany data breaches. The retailer’s swift action to terminate the contract signals a broader industry trend toward reassessing technology partnerships and strengthening digital risk management. As retailers increasingly rely on integrated digital systems, the need for robust vendor oversight and agile contingency planning becomes paramount. The episode serves as a stark reminder that cybersecurity is no longer just an IT concern but a core business risk that can directly impact market value and consumer trust. Marks & Spencer’s response reflects a growing recognition within the sector that resilience and rapid recovery are essential in the face of escalating cyber threats.

IADS Notes: In April 2025, Marks & Spencer suffered a major cyber attack that led to a £700 million market value loss and operational disruption, emphasising the vulnerability of digital systems and third-party partnerships (Financial Times, April 2025). The Scattered Spider group’s attack disrupted daily digital sales and highlighted the sector’s reliance on external providers, with 41% of breaches linked to third-party vendors (Retail Week, May 2025). As M&S restored digital services in June 2025, the challenges of managing technology partnerships post-breach became evident (Retail Week, June 2025). Coordinated attacks on major retailers in early 2025 prompted a shift from prevention to rapid recovery, making cybersecurity a core business risk (Inside Retail, May 2025). By September 2025, agile vendor management and contingency planning had become essential for retail resilience (Inside Retail, September 2025).

Marks & Spencer axes tech contract following cyber attack