M&S cyberattack: Critical lessons for in-house legal teams

If you're leading a legal function in-house, the M&S cyber attack is another flashing red light on the dashboard.

A major UK brand. High public trust. A sophisticated social engineering attack. It’s a timely but tough reminder: cyber risk isn’t just an IT issue — it’s a business continuity and reputational issue. And legal is right at the heart of the response.

Here’s what in-house legal teams can learn from the incident — and why your function must be ready before, during, and after a cyber attack.

1. You need a seat at the table - before the breach hits

If your organisation’s security incident plan sits solely with IT or compliance, it’s time to get involved.

Legal must have visibility over:

  • Breach response playbooks, including communications and PR strategies
  • Notification protocols - when and how to report to the ICO, affected customers, and other stakeholders
  • Supplier contracts - do they support or hinder an effective breach response?

Don’t wait for a crisis to find out your role hasn't been defined.

2. Your weakest link might not be tech

Reports suggest the M&S incident was the result of a social engineering attack - hackers tricked IT staff into resetting access credentials. No sophisticated ransomware. No zero-day exploit. Just old-school manipulation.

For legal teams, this means:

  • Championing high-quality, regular training — not just annual box-ticking
  • Questioning identity verification protocols — especially around access resets
  • Factoring human error into risk registers and audits

3. DPIAs and breach logs must be airtight

After an attack, your documentation becomes your defence. The ICO, board, customers, and possibly the media will all want to know:

  • What data was held, why, and for how long
  • Whether risks were assessed properly (DPIAs, risk assessments, third-party reviews)
  • How and when the breach was discovered, and how you responded

If you're not regularly reviewing and refreshing this documentation, now is the time.

4. Contracts can make or break your response

Suppliers can either be the attack vector — or part of your solution. Your contracts must be fit for purpose.

Ensure they:

  • Include clear breach notification requirements with tight timeframes
  • Allow for audit rights and incident cooperation
  • Define responsibilities clearly — from investigation and reporting, to cost allocation and PR handling

And if you’re not already doing so, start auditing high-risk vendors regularly.

5. Reputation matters — and legal’s role is public

Cyber incidents are brand incidents. M&S has responded transparently and quickly — but the media spotlight has been intense.

Legal teams should work hand-in-hand with comms and exec leadership to:

  • Draft holding statements and FAQs in advance
  • Align messaging across customers, partners, regulators, and media
  • Coordinate internal and external communications to avoid mixed messages

You don’t want the comms team improvising under pressure.

commercial contracts

What Happens To Personal Data After Someone Dies?
The Legal Guide to Email Marketing and Consent
The Basics of Cookies: DIY Data Protection Guide
In-House Lawyers
Legal Ops
Commercial Contracts
Employment & HR
Data Protection
Intellectual Property
Technology
Sector Spotlight

the plume press

THE NEWSLETTER FOR IN-THE-KNOW IN-HOUSE LAWYERS

Get the lowdown on legal news, regulatory changes and top tips – all in our newsletter made especially for in-house lawyers.

sign up today