The recent ransomware attacks on M&S and other British retailers serve as a reminder – as if we needed one – of the ubiquitous nature of cyber crime, and the widespread disruption it can cause to both businesses and individuals.

While retailers appear to be flavour of the month for attackers at the moment, no sector is immune to this risk. 

A recent UK Government survey revealed that, of those construction businesses taking part, 40% identified a cyber breach or attack in the last year. However, construction was one of lowest scoring sectors in terms of board-level accountability for cyber risk, with only 18% having a board member or trustee with responsibility for cyber security.   

The BBC reported that M&S began experiencing problems over the Easter weekend (the risk of cyber attack increases during public holidays) and that some of its operations, including online ordering, remained offline weeks later. This highlights the importance of having a robust incident response plan in place to minimise the serious financial implications of lengthy service outages.  

For housebuilders, this means thinking through how an attack could impact the whole design and construction process. Workarounds should be prepared in advance which would allow essential operations to continue in the midst of an attack. How will suppliers and contractors will be paid? How will sites be managed? How will third parties and customers be contacted? Knowing and testing these contingency measures in advance is essential to minimise the impact of an attack if it happens. It is also important to risk assess your supply chain to ensure that your key partners are doing the same.  

The UK’s data regulator, the Information Commissioner’s Office (ICO), has confirmed that it is “making enquiries” with M&S, as well as the Co-op Group which was also subject to recent attack. The ICO will be looking to establish whether the security measures employed by M&S and the Co-op were appropriate, or whether they were lacking and contributed to the success of the attacks. If either entity is held to have breached its obligations under the UK GDPR, formal enforcement action may follow.  

In addition to the impact on the companies targeted by the attack, individuals may also be affected where their personal data was exfiltrated by the attackers. As well as the loss of privacy, this can expose individuals to increased risk of identity theft or fraud. It can also expose the data controller companies to litigation risk, as individual data subjects can claim for material or non-material damage (including distress) caused as a result of a breach. 

Following these incidents, the National Cyber Security Centre has published further recommendations for businesses on the steps they can take to improve their security position.  

For more commentary and analysis on cyber risk, read our previous insights: 


Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident. Please get in touch with any of our team or your usual Burness Paull contact to discuss your needs. 

Written by

Related News, Insights & Events

Data And The Digital Economy Conf

Data and the digital economy: Managing risk and making the most of opportunities

30/09/2025 - Edinburgh


Data is everywhere – and the ways in which we’re collecting, processing and utilising it are constantly evolving, while regulation and governance best practice struggles to keep up.

Read more
Lessons In Corporate Resiliance

The evolving nature of risk: Lessons in corporate resilience

27/08/2025

The concept of risk and reward is as old as time itself.

Read more
Data Protection Complaints Set To Surge Are You Prepared

Data protection complaints set to surge: Are you prepared?

26/08/2025

The recently enacted Data (Use and Access) Act 2025 introduces some important changes to existing UK data protection laws.

Read more

Want to hear more from us?

Subscribe here Subscribe here