Estimated reading time: 6 minutes
Anatomy of a Cyberattack –
On July 8, 2025, Marks & Spencer Chairman Archie Norman appeared before the UK Parliament’s Business and Trade Sub-Committee. The hearing focused on the April cyberattack that shook the British retail giant. Norman, joined by General Counsel Nick Folland and Corporate Affairs Director Victoria McKenzie-Gould, delivered a sobering account of the breach, its fallout, and the systemic challenges of cyber risk in modern business. We reviewed the full testimony. Here are elements of 12 key quotes from Chairman Archie Norman and takeaways to help make sense of the M&S attack, its human toll, the business vulnerabilities it exposed, and the critical roles of cyber insurance, incident response, and legacy systems.
1. Sophisticated Impersonation Signals New AI Threats
“It was sophisticated impersonation. They didn’t just rock up and say, ‘Would you change my password?’ They appeared as an individual, with their details.”
Norman avoided using the term “deepfake,” but the description hints at emerging threats powered by AI. The word “appeared” is driving our thoughts on this point. Cybercriminals now mimic employee identities with disturbing accuracy, fooling security systems and personnel alike. Social engineering, once crude, is now calculated and high-tech.
2. Legacy Systems: A Weak Link in Cyber Resilience
“We have been around since 1884, so we do have legacy systems… That hybrid makes it harder to compartmentalise your system.”
Many organizations rely on interconnected systems, both old and new. That blend becomes a risk. If attackers breach one part of the system, lateral movement becomes easier. Compartmentalization, a cybersecurity best practice, is challenging when systems have been stitched together over decades.
Watch Archie Norman discuss the “sophisticated impersonation.”
3. The Attack’s Purpose: Ransom, Destruction, or Both?
“They are essentially trying to destroy your business… partly about ransom or extortion. It was like an out-of-body experience.”
The M&S breach went beyond a routine ransomware hit. Norman described it as psychological warfare. The attackers’ aim was not only financial gain but total business disruption, showing how modern cybercrime is personal, invasive, and relentless.
“It is not an overstatement to describe it as traumatic.”
Marks & Spencer Chairman Archie Norman
4. The Human Toll: Sleepless Nights and Stress
“It is not an overstatement to describe it as traumatic, and it has endured for some weeks.”
Cyberattacks aren’t just technical crises. They exhaust human capital. Tech staff worked long nights. Store employees had to adapt to outdated systems and manual processes. The trauma lasted weeks, illustrating the emotional cost of cyber incidents.
5. The Attackers: Elusive and Anonymous
“In fact, they never send you a letter signed, ‘Scattered Spider’… we did not even hear from the threat actor for approximately a week.”
Attribution remains a murky task. Even though the media connected the attack to groups like Scattered Spider or DragonForce, M&S received no formal claim until long after the breach. This delay complicates response and reinforces the need for external expertise.
6. Incident Response: It’s All About the Rebuild
“Once you have experienced an attack… you are then in a multi-week process of systems rebuilding.”
Detection is just the start. Rebuilding is costly and slow. M&S spent months restoring internal systems and reestablishing online operations. Incident response doesn’t end with containment. It continues through the full restoration lifecycle.
WATCH – Anatomy of a Cyberattack: Lessons from Marks & Spencer
7. Attack Surfaces: 50,000 Potential Entry Points
“We have 50,000 people working on our systems… the attacker… has only to be lucky once.”
The “perimeter” of a large company is always porous. Contractors, third parties, and remote employees each add exposure. Businesses must assume compromise and build layered defenses, not just walls.
Get The Cyber Insurance Upload Delivered
Every Sunday
Subscribe to our newsletter!
8. Perimeter Breached? Probably Inevitable
“Can they get in? They probably can if they try hard enough.”
Norman acknowledged an uncomfortable truth. Defenses only slow down attackers. No system is entirely impenetrable. The best strategy is detection, containment, and recovery, not overconfidence in prevention.
9. Compartmentalization Fails in Interconnected Systems
“How easy is it to move laterally? That is inhibited by the interconnectedness of all our systems.”
M&S confirmed that outdated architecture worsened the attack’s impact. Lateral movement was possible due to system interdependencies. The takeaway: Zero-trust architecture and segmentation are critical upgrades.
“Do we wish we had spent more, done more? Of course we do…”
Marks & Spencer Chairman Archie Norman
10. The £300 Million Loss and Role of Insurance
“That is a gross estimate of loss of profit… before recoveries. Recoveries might include insurance—and we expect they will.”
The financial hit was huge. While insurance won’t recover everything, M&S factored it into their post-attack forecast. This highlights the growing reliance on cyber insurance as a financial backstop.
11. Cyber Isn’t Just IT. It’s Legal, Strategic, and Insurable
“We trebled the number of people working on cyber-security… and doubled the amount of expenditure.”
Cyber risk is not confined to IT departments. It’s a strategic business issue. Cybersecurity roles are expanding, budgets are growing, and cross-departmental collaboration is essential, from the legal department to the board level.
“I think it is very important that a plc knows that these policies are available and takes them out… We are in an almost daily dialogue with them.”
Nick Folland, General Counsel Marks & Spencer
12. Was It Enough? Probably Not. But Do It Anyway
“Do we wish we had spent more, done more? Of course we do… but that is not a reason for not doing it.”
Even with preparation, M&S admits it wasn’t enough. But that doesn’t mean preparation was wasted. Every investment in cybersecurity reduces harm, even if it can’t guarantee prevention.
13. Bonus Insight: Cyber Insurance as Lifeline
Nick Folland, General Counsel:
“I think I was probably about to turn myself into an advert for the insurance industry… I think it is very important that a plc knows that these policies are available and takes them out… We are in an almost daily dialogue with them.”
Folland’s testimony underscored how insurance supported M&S from day one. His advice: treat insurers like partners, not just claim recipients. The policy structure they chose, which absorbed early losses and insured catastrophic risk, proved vital.
Conclusion: A Case Study in Corporate Cyber Survival
The M&S testimony offers a masterclass in what a modern cyberattack looks like from the inside. Its themes, including sophisticated impersonation, human toll, legacy systems, lateral movement, and financial exposure, are not unique. They are warnings for every business.
Cyber insurance, incident response, architectural modernization, and leadership awareness are no longer optional. They are pillars of survival in a digital threat landscape.
RELATED NEWS:
