Marks & Spencer's Cyberattack Isn't An Exception - It's A Warning
techradar, Tuesday, July 22nd, 2025
Cyber attacks on retail are on the rise, and businesses are struggling to keep up
Marks & Spencer did the right thing by self-reporting its recent cybersecurity incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). That kind of transparency is essential, not just for managing reputational risk, but for limiting regulatory fallout.
Under UK GDPR, failing to protect personal data or report breaches promptly can lead to fines of up to 17.5 million UK Pounds, or 4% of global turnover. And if M&S handles EU customer data, it may also come under the scope of the EU's NIS2 Directive, which can carry penalties of up to 10 million Euros.