Marks & Spencer Exemplifies Best Practices in Cyber Crisis Communication
In an era where corporate communication surrounding cybersecurity incidents often veers towards obfuscation and minimization, British retailer Marks & Spencer (M&S) stands out as a model for transparency and effective communication. Recently, the company faced a cybersecurity threat that could have disrupted its operations significantly. Instead of resorting to marketing jargon or diluting the seriousness of the incident, M&S chose a direct approach to inform its stakeholders, showcasing how effective crisis management should be executed.
On April 23, 2025, Marks & Spencer issued a statement to the London Stock Exchange, indicating that it had been managing a cyber incident over the preceding days. Unlike many corporations that may have sought to downplay the situation or embellish assurances about their data handling practices, M&S delivered a clear and straightforward account of the situation. Notably absent were the clichéd phrases often used to normalize cyberattacks or minimize their impact. The company refrained from declaring that it "takes the security of customer information seriously" in a manner that appears merely performative.
Instead, M&S stated that it had engaged external cybersecurity experts to aid in investigating and managing the situation. The retailer also emphasized its proactive measures to bolster its network defenses, assuring customers that operational services would continue unimpeded. Importantly, the company confirmed its collaboration with the U.K. National Cyber Security Centre, which is the national incident response lead, indicating a commitment to handle the situation with the utmost seriousness.
For over 140 years, Marks & Spencer has been a fixture on the British high street, maintaining customer trust amidst challenges. Following the incident, the company communicated directly with its customers about the potential disruptions, particularly concerning online pickup orders. While there were reports of temporary issues, such as the inability to process contactless card payments and redeem gift cards, M&S quickly addressed these concerns. The message to customers, signed by CEO Stuart Machin, expressed regret for any inconvenience while reassuring them that the stores remained open and online services were functional.
In this communication, M&S adopted a tone of empathy and responsibility. Customers were informed that they need not take any immediate action, with a promise of updates should the situation evolve. This approach not only alleviated customer anxiety but also fostered confidence in the company’s management of the crisis.
Experts in the field applauded Marks & Spencer’s straightforward approach to crisis communication. Jude McCorry, CEO of Edinburgh’s Cyber and Fraud Centre, highlighted the effective nature of M&S’s communication, noting its clarity and accountability. She recounted her recent experience in an M&S store, where staff actively informed customers about the lack of contactless payment options, ensuring that operations continued smoothly despite the underlying crisis.
The incident reportedly unfolded over a holiday weekend, leading to scattered reports from customers experiencing inconvenience during their visits. One customer in Plymouth reported issues with both collecting online purchases and returning items due to malfunctioning tills. Yet, Marks & Spencer appeared to have effectively mobilized its incident response plan, promptly reaching out to customers via email with updates and reassurances.
William Dixon, a senior associate fellow at the Royal United Services Institute, weighed in on the situation, describing M&S’s communication as "textbook cyber crisis communications." By focusing on empathy, transparency, and factual statements—rather than speculation or dramatization—the company managed to maintain customer trust and credibility.
Furthermore, British security researcher Daniel Cuthbert commended M&S for its refreshing approach. He remarked on the rarity of a company openly acknowledging a breach without resorting to legalistic or overly cautious rhetoric. The effective communication strategy employed by M&S not only mitigated customer concerns but also set a high standard for how companies can navigate the complexities of cybersecurity threats in a customer-centric manner.
Ultimately, Marks & Spencer’s handling of this cybersecurity crisis illustrates the vital role of clear, honest communication in maintaining public trust. By prioritizing transparency and customer engagement, M&S has distinguished itself as a leader in crisis management, setting a precedent for other businesses in the industry to follow.