When M&S suffered a data breach in early 2025, it wasn’t some high-octane cyberattack straight out of a Hollywood script. No sinister USB sticks, no basement-dwelling hackers clacking away in hoodies. Instead, it started with something deceptively simple: a clever bit of social engineering aimed at a third-party help desk.
By pretending to be internal staff, the attackers convinced support agents to disable multi-factor authentication. That tiny crack was all it took. From there, they slipped into M&S systems, snatched credentials, moved laterally through the network, unleashed ransomware, and walked off with customer data.
The result? Chaos. Online orders were frozen. Customer trust plummeted. And the company had projected a £400 million financial hit.
And M&S isn’t the only one. Other household names have suffered similar breaches. But here’s the kicker: it’s rarely cutting-edge tech that’s getting it wrong. It’s more often a missed detail, a vague policy, or a support agent having a very human moment.
Before we go any further, just a quick shameless plug (the only one we promise!) check out our new Cyber Security Awareness series. It’s everything you and your teams need to know on Cyber Security, delivered with charm, engaging characters like Jade and Derek and zero risk of any spontaneous naps!
Phishing: Still Top of the Charts (Unfortunately)
Phishing is still the easiest way in — it’s like a classic magic trick: distraction, misdirection, and getting you to hand over the secret without realising it. It usually comes disguised as a normal email, text, or website designed to fool even the savviest among us.
A quick breakdown of phishing types:
- Spear phishing: Personalised emails using real details to build trust.
- Whaling: Targeting executives, where credentials = serious access.
- Smishing: Text-based phishing (yes, your phone isn’t immune either).
The UK Cyber Security Breaches Survey 2025 confirms that phishing is still the most common cyber threat to UK businesses. So, while M&S wasn’t phished in the classic sense, the attackers pulled the same psychological levers: trust, urgency and manipulating someone trying to do the right thing.
Cyber Security Culture: Matters More Than Just Posters in the Breakroom
The M&S data breach offered a harsh reminder: you can’t patch a lack of preparation.
No amount of software can stop someone who genuinely thinks they’re helping. That’s not a tech glitch—that’s a culture gap.
Your people need more than policies—they need confidence. And that means:
- Recognising when something feels a bit off
- Knowing how to check without causing panic
- Reporting things without feeling like they’ve broken the internet
A Smarter Way to Train Your Team
Let’s face it: most cyber training feels like being locked in a lift with a PDF. So, we made something a bit different.
Introducing the Video Arts Cyber Security Awareness series:
- 🧠 Relatable: Real-world scenarios that feel familiar
- ⏱️ Bite-sized: Perfect for a coffee break
- 🎭 Narrative-driven: Follow Jade, Derek, and their digital misadventures
- 🔐 Actionable: Practical advice that sticks
📍 Get early access to the first course because protection isn’t about panic; it’s about preparation.
