The M&S Cyber Attack: Why It's Time to Take DMARC Seriously – For You and Your Partners
In a world where businesses are increasingly dependent on digital systems and external vendors, the recent cyber attack on Marks & Spencer couldn't have come at a worse time—or been a clearer warning. Over the Easter bank holiday, M&S—one of Britain's most trusted high street names—was hit by hackers who exploited weaknesses in a third-party supplier's systems. The result? Online shopping was brought to a standstill for over three weeks. Personal details of customers were exposed. And the financial hit? Over £40 million a week in lost revenue, according to reports.
At Dmarclytics, we've always said that cybersecurity isn't just your responsibility—it's a shared one. This incident is a textbook case of why that matters.
What Actually Happened?
A hacking group calling itself "DragonForce" gained access to M&S systems via a supplier. It wasn't just a one-off, either. They went on to target Co-op, and even attempted a breach on Harrods.
The M&S fallout included:
- A complete freeze on online orders
- Customer data exposure – including names, dates of birth, contact numbers and previous order details
- A knock to customer trust—which is much harder to rebuild than websites
It just goes to show: even if you've got decent internal protections, if a partner in your supply chain slips up, you're still exposed.
This Is Where DMARC Comes In
Email remains one of the most common entry points for cyber attackers. Often, criminals impersonate trusted brands or suppliers to trick people into handing over sensitive data. That's where DMARC comes into play. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a simple yet powerful protocol that helps:
- Verify that emails are genuinely from you
- Stop spoofed or fraudulent messages from landing in inboxes
- Give you reports on who's trying to pretend to be you
Put simply, if your suppliers and partners had DMARC properly set up, the window for impersonation gets slammed shut.
Here are three key lessons:
- Don't just trust—verify: Vet your suppliers' security like you'd vet your own.
- Make DMARC a requirement: If they want to work with you, they should protect your customers too.
- Check in regularly: Tech moves fast. A supplier that was secure a year ago might not be today.
Think of it this way: even the strongest front door is useless if someone leaves the side gate wide open.
It's Not Just Tech – It's People Too
At Dmarclytics, we believe good security isn't just about clever software. It's about culture.
That means:
- Training staff—your team and your suppliers—to spot dodgy emails
- Having open, honest conversations with vendors about expectations
- Making it everyone's responsibility, not just the IT department's
Because the truth is, when something goes wrong, customers don't care whose fault it was. They just know it was your name on the email.
Final Thoughts: Don't Wait Until It's Too Late
The M&S attack isn't just a headline—it's a warning. If it can happen to them, it can happen to anyone.
So here's what we recommend:
Get DMARC set up for your own domain
Speak to your vendors—are they protected too?
Start making security a conversation, not an afterthought
At Dmarclytics, we're here to help businesses take back control of their email security—before the worst happens. Let's turn this wake-up call into a plan of action. Book a free DMARC assessment and we'll help you spot the gaps—yours and your partners'.
Because in this game, prevention isn't just cheaper. It's everything.
Facebook
LinkedIn
X