Back to Blog

Cyberattack on Marks & Spencer: A Cautionary Case for Singapore Retailers

Case Studies
.
June 18, 2025
.
5 min
Cyberattack on Marks & Spencer: A Cautionary Case for Singapore Retailers

Cyber Safety: Empowering Employees in Digital Defence

This cybersecurity awareness training is designed to equip employees with the knowledge and skills necessary to identify, respond to, and report cybersecurity threats, with a special focus on phishing attacks. Participants will learn through interactive activities, discussions, and real-world examples, fostering a culture of cybersecurity mindfulness in the workplace.

Introduction: When Global Brands Fall, Local Businesses Must Learn

In April 2025, Marks & Spencer (M&S), a respected British retail institution, experienced a major cyberattack that compromised customer data and halted digital operations. The attack, carried out by the ransomware group Scattered Spider, led to widespread disruption lasting over three weeks. This breach exposed customer names, addresses, and order histories—though financial information remained secure.

For businesses in Singapore’s thriving retail sector, this incident is a wake-up call. It shows how even well-established global companies with significant cybersecurity investments can be vulnerable. If it can happen to M&S, it can happen to anyone.

The Question Is: Are Your Employees Prepared To Defend Your Organisation Against Such Threats?

What Happened to M&S: A Detailed Breakdown

The M&S cyberattack was part of a broader trend of complex ransomware operations. In this case, the threat group Scattered Spider used advanced social engineering techniques to bypass M&S’s digital defences.

  • Initial Entry Point: Employees received targeted phishing emails disguised as internal IT notices. These emails contained malicious links leading to credential harvesting sites.
  • Credential Theft: Unsuspecting staff members entered their login details, which the attackers captured to gain access to M&S’s internal systems.
  • Lateral Movement: Using these credentials, the attackers moved laterally across M&S’s network, escalating privileges and identifying critical databases.
  • Data Exfiltration and Ransom: Before deploying ransomware, attackers exfiltrated sensitive customer data. They then encrypted vital systems, demanding a ransom while threatening to leak the stolen information.
  • System Downtime: M&S's online services, including e-commerce operations and internal order management systems, were disrupted for over 21 days, affecting sales and customer trust.
  • Reputational Fallout: Despite financial data remaining untouched, the exposure of personal customer information sparked backlash, negative media coverage, and scrutiny from UK regulatory bodies.

This multi-stage attack reveals a key vulnerability: the human element. Without effective cybersecurity awareness training, even sophisticated companies like M&S can fall prey to well-crafted social engineering tactics.

Why Singapore Retailers Should Take Note

Plaza Singapura Singapore
Plaza Singapura in SIngapore (https://www.flickr.com/photos/25802865@N08/16495710131)

Singapore’s digital economy is booming—but that also makes it a prime target. Consider the facts:

  • Cybercrime in Singapore rose by 50% in 2023, accounting for nearly one-third of all crimes reported (CSA Singapore).
  • Retailers and e-commerce platforms face daily phishing attempts, credential stuffing attacks, and insider threats.
  • SMEs are increasingly targeted due to limited IT security budgets and lack of employee training.

These examples show how easily local companies can suffer catastrophic consequences from cyber incidents. M&S may be overseas, but the lessons are directly relevant here at home.

The Real Risk: Human Error

Retail employees are often on the digital frontlines—managing emails, handling transactions, and accessing sensitive systems daily. Unfortunately, they’re also frequently the weakest link.

One click on a phishing email can open the door to ransomware.

That’s what makes cybersecurity awareness training not just useful, but essential. It turns your workforce into a human firewall—alert, prepared, and capable of recognising suspicious activity.

A Targeted Cybersecurity Awareness Training Strategy

At CFCI, we offer industry-specific cybersecurity awareness training that addresses the unique risks of your sector. Here’s how we help:

1. Industry-Specific Training

We tailor content for frontline retail staff, e-commerce teams, and digital operations managers. Modules include:

  • Identifying phishing and social engineering attacks
  • Password security and multi-factor authentication
  • Incident reporting protocols

2. Compliance with PDPA

Our training ensures your staff understand and comply with Singapore’s Personal Data Protection Act (PDPA), reducing the risk of regulatory penalties.

3. Simulated Attacks and Drills

We run regular phishing simulations and scenario-based drills so staff can practise responding to threats in real time.

4. Measurable Outcomes

We use pre- and post-assessments to measure knowledge improvement and engagement, and provide detailed reporting to track programme effectiveness.

Singapore Case Study: Chicha San Chen Data Breach (2024)

Chica San Chen Outlet (https://www.flickr.com/photos/25802865@N08/53641805645)

In June 2024, popular bubble tea chain Chicha San Chen suffered a data breach that exposed sensitive customer information. The breach occurred through a shared server operated by an external vendor, allowing unauthorised access to the company’s customer relationship management system.

Data exposed included customer names, mobile numbers, email addresses, and encrypted passwords. The stolen data was later discovered for sale on a known hacker forum. Investigations indicated that the lack of proper vendor risk management and inadequate internal security protocols contributed significantly to the breach.

This case illustrates the growing risk associated with third-party service providers, especially in fast-growing retail sectors. It’s a stark reminder that cybersecurity isn't confined to your internal systems—every touchpoint in your digital infrastructure must be secured.

Source: CyberNews

Recommended Next Steps for Business Leaders

1. Assess Your Cyber Readiness

Conduct a quick audit of your current cybersecurity training efforts. Are your employees prepared for phishing attacks?

2. Engage a Local Training Provider

Partner with a Singapore-based training experts who understands regional threats and regulations.

3. Book a Pilot Training Session

Start small. Choose one department, implement our programme, and measure results.

Take Action Today

Cyberattacks are growing more frequent, complex, and damaging. Don’t wait until your organisation becomes the next headline.

View our Corporate Cybersecurity Training Brochure

We’ll help you protect your business from within—by training your greatest asset: your people.

FAQ: Quick Answers for Business Leaders

Q: How does cybersecurity awareness training benefit my organisation?
A: It reduces the risk of data breaches by empowering employees to detect and respond to cyber threats.

Q: Is the training tailored to the retail industry?
A: Absolutely. We create retail-specific modules based on real-world scenarios and compliance requirements.

Q: What’s the duration of your awareness training programme?
A: The cybersecurity awareness employee training is a comprehensive 4-hour programme to bring your employees up to speed on fundamental cyber hygiene skills.

Q: How do we measure success?
A: Through pre- and post-training assessments, phishing simulations, and reporting dashboards.

Cybersecurity is a shared responsibility. Let’s train your staff before attackers strike.

Subscribe to our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

You might like these stories

Careers
.
May 7, 2024
.
10 min

AI Was Supposed to Replace Jobs But It’s Supercharging Cybersecurity Hiring Instead

While many fear AI will replace human jobs, it’s actually fueling one of the biggest hiring surges in Singapore's cybersecurity sector. This post explores why AI is creating new risks (and roles), which jobs are in the highest demand, and how mid-career professionals, even without IT backgrounds, can step confidently into this space. Inspired by insights from The Business Times, it breaks down practical paths to break in, key transferable skills, and why cybersecurity may be the most stable career pivot you can make today.
Careers
.
May 7, 2024
.
10 min

Singapore's 2026 Shortage Occupation List: What It Really Means for Cybersecurity Careers

Singapore has officially placed four cybersecurity roles on its 2026 Shortage Occupation List, highlighting urgent demand for local professionals in areas like forensics, penetration testing, and cyber engineering. This article breaks down what that means for mid-career Singaporeans—especially those without tech backgrounds—and outlines realistic transition paths, timelines, and industry scenarios through 2030. You’ll also find learner stories, practical advice, and links to the most relevant resources from the Centre for Cybersecurity Institute.
Careers
.
May 7, 2024
.
10 min

Podcast Interview with The Financial Coconut - How to Pivot Into Cybersecurity (Without a Tech Degree)

Thinking of switching careers into cybersecurity in your 30s or 40s? You’re not alone, and you’re not too late. In this deep-dive article, we unpack key takeaways from a Financial Coconut podcast episode featuring CFCI CEO James Lim and graduate Wee Suan, now a DFIR analyst at ST Engineering.

Secure Your Future

Find out more about how we can help you secure your future in cybersecurity

Get in touch