Centre For Cybersecurity Institute Centre For Cybersecurity Institute
For institutions
For businesses Book a free info session
Menu
Courses
Free info sessionExperiential workshopCybersecurity Career Kickstart+Cyber Safety for teamsSOC Analyst
Outcomes About Blog Toolkit Contact us For businesses For institutions TERAS — license our platform · terascyber.com Book a free info session
case studies

Cyberattack on Marks & Spencer: What Singapore Retailers Must Learn

The 2025 M&S ransomware attack shows how social engineering bypasses even large retailers. Here is what Singapore businesses must do differently.

By James Lim, CEO and Head of Training · Published 19 June 2026 · Updated 19 June 2026 · 7 min read

In April 2025, Marks & Spencer suffered a ransomware attack that shut down online operations for over three weeks and exposed the personal data of millions of customers. The attack was carried out through phishing emails — not a zero-day vulnerability or state-sponsored hacking tool. For Singapore retailers, that is the critical detail: the entry point was an untrained employee clicking a link. This post breaks down exactly what happened, draws the parallel to Singapore’s own threat landscape, and outlines the practical steps businesses can take now.

What Actually Happened to Marks & Spencer

The threat group Scattered Spider used a carefully sequenced, multi-stage attack that moved from an inbox to the entire M&S network in a matter of days.

1. Phishing emails as the entry point. Staff received emails designed to look like internal IT notices. The emails contained links to credential-harvesting sites built to mirror M&S’s login pages.

2. Credential theft. Employees who clicked through and entered their details handed Scattered Spider valid login credentials for M&S’s internal systems.

3. Lateral movement. With one set of credentials, the attackers moved sideways across the network — escalating privileges, mapping critical databases, and identifying targets for exfiltration.

4. Data exfiltration before encryption. Before deploying the ransomware payload, the attackers extracted customer data including names, addresses, and order histories. This is now standard practice for ransomware groups: steal first, encrypt second, threaten to publish if the ransom is not paid.

5. 21-plus days of downtime. M&S’s e-commerce operations and internal order management systems were disrupted for more than three weeks, resulting in lost revenue and sustained negative media coverage across the UK.

The core lesson is uncomfortable but clear: a sophisticated retailer with significant IT investment was compromised through a phishing email. Technology controls alone are not enough if the people operating those systems are not trained.

Why Singapore Retailers Cannot Afford to Dismiss This

The M&S attack happened in the UK, but the attack vector — phishing leading to ransomware — is the same one Singapore businesses face every day.

Singapore’s Cyber Security Agency (CSA) reported that cybercrime rose 50% in 2023, accounting for nearly one-third of all crimes reported nationally. Retailers and e-commerce operators are frequent targets because they handle large volumes of personal data, process payments, and often rely on third-party vendors with access to their systems.

A local example makes this concrete. In June 2024, popular bubble tea chain Chicha San Chen suffered a data breach through a shared server operated by an external vendor. Customer names, mobile numbers, email addresses and encrypted passwords were exposed and later appeared for sale on a hacker forum. The investigation pointed to inadequate vendor risk management and insufficient internal security protocols — not a sophisticated state actor, but a gap in basic controls.

Three risk factors make Singapore SMEs particularly exposed:

  • Limited security budgets mean fewer dedicated IT security resources.
  • Third-party dependencies — delivery platforms, payment gateways, CRM tools — extend the attack surface beyond what internal teams can easily monitor.
  • Low levels of staff training leave the human layer largely unprotected, even when technical controls are strong.

The Human Element Is the Common Thread

Both the M&S breach and the Chicha San Chen breach started with a human factor — a click, a misconfigured vendor permission, a missing protocol. This is not unique to these cases. Industry data consistently shows the majority of security incidents involve a human action as the entry point.

Retail employees are especially exposed. They manage email constantly, handle customer data, process transactions, and often access sensitive systems from personal devices or shared terminals. Without training, even a well-intentioned employee is a liability.

Cybersecurity awareness training addresses this directly. It does not replace firewalls, endpoint protection or patching schedules — but it closes the gap those tools cannot reach. A staff member who recognises a credential-harvesting email and reports it is more valuable than any single piece of software.

What Effective Training Actually Looks Like

Not all training is equal. A one-off annual slide deck does not change behaviour. Effective programmes share several characteristics.

Role-specific content. Frontline retail staff, e-commerce managers, and finance teams face different threats. Training that speaks to their actual day-to-day work lands better than generic IT security content.

Phishing simulations. Controlled simulations — where staff receive realistic fake phishing emails and are coached on what they missed — build recognition skills that reading alone cannot. The goal is not to catch people out but to give them safe practice before a real attack.

Compliance grounding in PDPA. Singapore’s Personal Data Protection Act creates obligations for every business that handles personal data. Staff who understand what data they hold, why it matters, and what to do if something goes wrong reduce both breach risk and regulatory exposure.

Pre- and post-assessment. Measuring knowledge before and after training shows what worked and where gaps remain, allowing programmes to improve over time.

Clear incident reporting. Staff need a simple, blame-free way to report a suspected incident quickly. Speed of reporting is one of the most important variables in limiting damage.

CFCI’s corporate workshop, Cyber Safety: Empowering Employees in Digital Defence, is built around these principles — practical, scenario-based, and tailored to the Singapore context including PDPA obligations.

If you are responsible for a retail, e-commerce or consumer-facing business in Singapore, these are the steps worth taking now:

  1. Audit your current training. When did your staff last complete cybersecurity awareness training? If the answer is “never” or “over a year ago”, that is your starting point.
  2. Run a phishing simulation. Find out where your team actually is before deciding what training they need.
  3. Review your third-party risk. List the vendors with access to your systems and data. Do they have their own security standards? Are those standards documented?
  4. Establish an incident reporting process. If something happens, who does a staff member tell, and how quickly? Make it easy and make it safe to report.
  5. Make training recurrent, not one-off. Security awareness erodes quickly. Quarterly touchpoints and annual full sessions sustain the habit.

The M&S breach is a useful case precisely because it is so ordinary in its mechanics. No exotic exploit was required — just a plausible email and an unprepared employee. Singapore businesses that treat training as a checkbox will keep facing the same risk.

For a deeper look at how to build a security-aware workforce, see our guide to corporate cybersecurity awareness training in Singapore.

Take the Next Step

If you would like to understand how prepared your team is — or explore what a structured cybersecurity awareness programme would look like for your organisation — CFCI runs a free information session where you can ask questions and see how our corporate training works in practice. There is no obligation and no pressure. Visit /courses/info-session to book a time that suits you.

Frequently Asked Questions

What type of attack hit Marks & Spencer in 2025?

Scattered Spider carried out a multi-stage attack combining phishing, credential harvesting and lateral movement before deploying ransomware. The initial entry point was a targeted phishing email sent to M&S staff, not a technical exploit in their software.

Are Singapore retailers at risk of similar ransomware attacks?

Yes. Cybercrime in Singapore rose 50% in 2023, and retail and e-commerce businesses face phishing, credential-stuffing and supply-chain attacks daily. SMEs are especially exposed due to limited security budgets and lower levels of staff training.

What is the most effective way to reduce human error in cybersecurity?

Regular, role-specific cybersecurity awareness training combined with phishing simulations is the most direct way to reduce human-error incidents. Training turns staff from a vulnerability into an active layer of defence.

How does PDPA affect Singapore retailers after a data breach?

Under the Personal Data Protection Act, organisations must notify the PDPC of breaches affecting 500 or more individuals and face financial penalties if they failed to put reasonable security measures in place. Documented staff training is one of those reasonable measures.

Ready to secure your future?

Join a free info session to meet the team, walk through the curriculum and find the right path for you. No IT background needed.

Book a free info session Talk to our team
Chat with us