This week’s news that M&S suffered a major cyber attack, exposing data linked to thousands of current and former employees, has sent a chill through the UK retail sector. Though M&S itself was not directly breached, its data was compromised through a third-party payroll provider, Zellis, which fell victim to a known vulnerability in the MOVEit file transfer system. The breach has affected a number of major employers, but the public association with one of Britain’s most recognisable retailers has ensured widespread attention — and reputational risk.
The MOVEit vulnerability, disclosed in May 2023 and widely exploited by the Russia-linked Clop ransomware gang, has already compromised hundreds of organisations across sectors. Yet its latest reappearance raises pressing questions about enterprise preparedness, third-party risk management and the extent to which high-profile businesses can truly control the security of their extended digital footprint. With M&S joining a growing list of corporates dragged into supply chain breaches, the case underscores a stark reality: the modern attack surface is no longer confined to internal systems. It spans every connected vendor, cloud partner and digital tool in the enterprise stack.
In the M&S case, the data reportedly includes names, national insurance numbers and bank details — information that can easily be weaponised in phishing attacks or identity theft. While Zellis has confirmed the breach and promised mitigation, the reputational fallout has landed squarely on M&S, demonstrating how little insulation a brand has from the actions of its suppliers. For CISOs and enterprise leaders, this incident should be treated not as a curiosity, but as a case study in the shifting nature of organisational risk.
Too often, cybersecurity is seen as a technical silo that is exclusively the remit of IT or infosec teams. But in today’s business environment, cyber risk is business risk. A compromised payroll system doesn’t just threaten employee data; it undermines trust in a brand’s operations, exposes it to regulatory scrutiny, and creates friction across the organisation. With data protection rules tightening and consumer awareness growing, reactive statements and generic apologies no longer suffice.
To address this new landscape, enterprises must elevate cyber resilience to the boardroom and embed it across every strategic decision. That means understanding not just the direct security posture of your own systems, but also how risk flows through partners, platforms and suppliers. Supply chain due diligence must become more than a procurement checkbox. It should include regular audits, contractual obligations around cybersecurity standards, and active monitoring of high-risk third-party services.
Equally, known vulnerabilities like MOVEit should be a prompt for rapid response, not a wait-and-see approach. The MOVEit flaw was disclosed nearly a year ago. If vendors or clients in your network are still exposed to it, that reflects a failure of coordination and urgency. Patch management, vulnerability scanning and breach response planning must be treated as live, evolving disciplines, not once-a-year exercises. And where sensitive data is concerned, the principle of least privilege should apply: storing only what’s necessary, encrypting data in transit and at rest, and minimising potential blast radius if a breach does occur.
“Incidents like this remind us that cybersecurity is now a shared responsibility across the entire supply chain,” said Ciaran Martin, former head of the UK’s National Cyber Security Centre, when speaking with the BBC. “It’s not enough to protect your own systems — you must understand and influence the posture of those you depend on. That requires both technical integration and senior-level governance.”
Ultimately, the lesson from M&S is not that breaches are inevitable, but that responsibility doesn’t end at your firewall. In a hyper-connected digital ecosystem, security must be continuous, collaborative and proactive. High street brands, cloud-native start-ups, and multinational enterprises alike must recognise that their most valuable asset — trust — can be lost in a single third-party oversight. Rebuilding it is far harder.
