What the M&S Cyberattack Teaches Us About Crisis Communication

Over a month has passed since UK retailer Marks & Spencer disclosed it had suffered a serious cyberattack. Since then, the story has moved well beyond the technical breach – now widely attributed to the DragonForce ransomware group – into territory that directly threatens M&S’s brand trust and reputation.

Despite a backdrop of rising customer frustration and media scrutiny, M&S’s public communication has largely been confined to sporadic app updates and help centre statements. One recent message, for example, acknowledged that “some personal customer data has been taken,” but quickly added that no payment details or passwords were involved and that “there is no need for customers to take any action.”

This kind of messaging, while factual, feels insufficient. It acknowledges risk but with little empathy or clarity. It’s communication by technicality, and in a reputational crisis, that’s not enough.

This post reframes the communication question in light of how the story has evolved and why what M&S says next matters more than ever.

Signals Are Being Missed

M&S has not been silent. But its communication lacks presence. Brief announcements about “IT issues.” Delayed confirmation of data loss. Isolated help page updates. All are technically accurate yet emotionally and strategically lacking.

The gap is not in words, but in tone, transparency, and frequency. Customers aren’t just asking for facts. They’re asking: “Do you see what this feels like for us?” So far, the answer seems to be: “We’re dealing with it. Please be patient.”

Patience is fading. Competitors are capitalising. And media outlets are filling the void. The headline montage above tells its own story: reputational risk is no longer a side effect. It’s the story.

The Cost of Under-Communication

A month later, M&S has lost an estimated £60 million in profit, seeing £1 billion wiped from its market value, and there's increasing talk that this crisis will cost M&S £300 million or more. The company faces a growing perception that it’s lost control of the narrative.

When Reuters quotes shoppers saying, “A big company like that should be on it by now,” the damage is no longer hypothetical.

To the outside world, the recovery appears slow, the leadership invisible, and the tone cautious to a fault. This erodes the very trust that saw M&S rated by YouGov as the UK’s most trusted brand last year.

Meanwhile, retail insiders suggest that what looked like a sound plan to quietly restore systems is becoming a liability. If they pivot now – to ransom, to new comms, to transparency – it risks appearing reactive. If they don’t, the erosion continues.

Communications That Lead – Even When You Can’t Say Everything

This situation is complex. No organisation can share everything in real time, nor should it. But good crisis communication isn’t about disclosing every technical detail. It’s about:

• Showing intent.
• Owning the uncertainty.
• Speaking from the top, not just the help desk.
• Acknowledging the human impact on customers and employees.

The M&S comms we’ve seen, like the password reset message, are focused solely on containment. That’s necessary. But what’s missing is connection.

Where This Could Still Go

The coming weeks, if not days, will shape whether this episode becomes a reputational footnote or a case study in comms failure. Peak summer trading cycles could be at risk.

M&S doesn’t need to launch a PR campaign. But I can see how it would benefit from proactive public communication, such as:

• A short video from its CEO addressing customers and staff. Don't talk about last year's financial results (good though they were); talk about what's ahead in the coming weeks – that's what's on people's minds.
• A clearly signposted and regularly updated incident response page.
• Recognition for employees holding the front line.
• A short, honest statement about what’s next, even if it’s “We’re not yet sure, but we’re working hard and we’ll keep you posted.”

That’s not spin. That’s leadership. And it’s still an option.

M&S is a brand people do and still want to believe in. That belief has been tested. It’s not too late to reinforce it, but that window is narrowing fast.

If you’ve been following this drama, I’d love to hear your thoughts in the comments. What should communication look like when systems (and leadership) falter, but trust and reputation are at stake?

Postscript 25 May 2025: Adding Context as the Story Evolves

Since publishing this post on 23 May, two articles – one in the Financial Times and another in The Times, both published on 24 May – have added valuable perspective to the broader picture.

The FT piece, based on in-store conversations and social sentiment, reveals that many M&S customers remain supportive. While frustrated by the disruption, they frame the cyberattack as an assault by “evil criminals” rather than a failure by M&S. That emotional loyalty – described as a “deep well of goodwill” – is a powerful asset, even in crisis.

Meanwhile, The Times reports on M&S’s forward momentum, including plans to convert former Homebase sites into large-format food stores and create over 500 jobs. Some M&S investors, like Redwheel’s Ian Lance, praise the leadership’s deliberate decision not to rush recovery: “We will bring it back up when they are 100 per cent sure that the new system is safe.”

These perspectives matter. They don't negate the communication issues I’ve raised – in fact, they highlight how much opportunity M&S still has to turn the narrative. The loyalty is real. The brand equity is strong. But trust, once strained, needs care to restore.

How M&S bridges the gap between technical recovery and emotional reassurance will shape how this episode is ultimately remembered – as a stumble, or as a turning point.