The recent ransomware attacks on M&S and other British retailers serve as a reminder – as if we needed one – of the ubiquitous nature of cyber crime, and the widespread disruption which it can cause to both businesses and individuals.
The BBC has reported that M&S began experiencing problems over the Easter weekend (the risk of cyber attack increases during public holidays) and that some of its operations, including online food ordering, remain offline some two weeks later.
The UK’s data regulator, the Information Commissioner’s Office, has confirmed that it is “making enquiries” with M&S, as well as the Co-op Group, which was also subject to recent attack. The ICO will be looking to establish whether the security measures employed by M&S and the Co-op were appropriate, or whether they contributed to the success of the attacks. If either entity is held to have breached its obligations under the UK GDPR, formal enforcement action may follow.
Following these incidents, the National Cyber Security Centre has published further recommendations for businesses on the steps they can take to improve their security position.
In addition to the impact on the companies targeted by the attack, individuals may also be affected where their personal data was exfiltrated by the attackers. As well as the loss of privacy, this can expose individuals to increased risk of identity theft or fraud.
These recent incidents reflect a number of the key themes and issues which we cover in our regular cyber blogs, which are available here:
-
Cyber Crime in the Trust Economy: Navigating an evolving threat landscape
-
Is a ban on payments to hackers the answer to the growing threat of ransomware?
-
Cyber security – Looking back on 2024 and what businesses can expect in 2025
-
Navigating cyber resilience: Key insights from our cyber conference
-
Boeing hacked by LockBit: Ransomware and the effect on supply chain
Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks, and best practices. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident. Please get in touch with any of our team to discuss your needs.
The team are also running their annual spring webinar series over the coming weeks, looking at current data governance issues. With a session on priorities of the ICO and navigating regulatory risk, it is a must attend for all organisations handling sensitive and personal data. Find out more about the series and register your place here.
Written by
Related News, Insights & Events

M&S ransomware attack – what can housebuilders learn?
The recent ransomware attacks on M&S and other British retailers serve as a reminder of the ubiquitous nature of cyber crime, and the widespread disruption it can cause to businesses and individuals.
![Liability And Limitation In Building Safety Disputes The Supreme Court Decision In URS V BDW [2025] UKSC 21](/media/bftbvg3s/liability-and-limitation-in-building-safety-disputes-the-supreme-court-decision-in-urs-v-bdw-2025-uksc-21.webp?width=352&height=200&v=1dbd1583be9d8f0)
Liability and limitation in building safety disputes: The Supreme Court decision in URS v BDW [2025] UKSC 21
In the landmark case of URS v BDW [2025] UKSC 21, the Supreme Court considered a number of significant issues for developers, design engineers and other construction parties.

Burness Paull promotes five lawyers to partner
01/04/2025
Burness Paull has promoted five of its lawyers to partner as the firm prepares for further growth in key areas and continues to invest in developing homegrown talent.