M&S Will Claim £100m From Its Cyber Insurers

Marks & Spencer (M&S) is getting ready to make one of the largest cyber insurance claims in the UK after explaining that personal customer information was compromised during a massive cyber attack at Easter 2025 which has taken down its digital infrastructure for weeks. 

M&S admitted for the first time on Tuesday 13th May 2025 that some  customers' personal data was stolen as part of the ransom attack, that has left the retailer unable to accept online orders. 

The retailer has told customers this could include contact details, date of birth and online order history but it does not include usable card or payment details or account passwords.

M&S is due report its full-year results soon and will give an update the market on the effects of the ransom attack. So far, the retailer’s share price has fallen around 16 per cent since it disclosed the attack on April 22, which has knocked £1.3bn off its market capitalisation.

Allianz is the principal insurer liable for M&S’s losses and is expected to pay at least the initial £10million while cyber insurance specialist Beazley is also amongst the insurers exposed to losses. 

The Co-op and Harrods have also been hit by recent cyber attacks and the Co-op has said that is is still in  recovery after taking action to bring its systems back online. These attacks are attributed to a collective of english speaking hackers known as Scattered Spider, who speialise in the use of social engineering techniques. One such  method used by Scattered Spider is an exploit named ‘MFA fatigue’ and explains why they are a uniquely dangerous group. 

In an MFA fatigue attack, an attacker floods a user with MFA authentication requests until they finally authorise either out of confusion or exasperation. At that point, the attacker can then bypass even the strongest defences.

In expert comment, Rex Booth, who is CISO at SailPoint said “Scattered Spider is a loosely affiliated group of cyber criminals based primarily in English speaking countries. They’re responsible for numerous high-profile attacks, including the MGM/Caesars compromise in 2023 which netted them a $15million ransom payment.
  
“They’re uniquely dangerous because much of the West is accustomed to this image of cyber criminals from Eastern Europe and Asia. Because most of Scattered Spider are native English speakers, they’re able to execute social engineering attacks without raising concerns as readily. It makes them very effective at exploiting the human side of cybersecurity." Booth concludes.   

Concerning M&S' insurance claim Adam Casey, Director of Cybersecurity & CISO at Qodea commented “While a big cyber payout might not trigger an immediate hike in premiums across the board, it’ll likely contribute to an upward trend. This disruptive attack - and any resulting payout - will be a major data point used by insurers in future underwritings..."

As non-payment of ransoms becomes a more common policy as well, insurers are going to see bigger costs from breach recovery and business interruption. All this will combine to push premiums up.

“Cyber insurance is a good safety net, but it isn’t a panacea replacing the need for solid cyber defences. Insurance absorbs some of the financial shock from lost sales, but what it can’t restore is the erosion of customer trust, reputational damage and damage from regulatory fines that can come from a significant attack."

This underscores the critical importance of comprehensive risk assessments, Business Impact Analyses (BIAs), properly tested Business Continuity and Disaster Recovery (BCDR) and Incident Response plans.

“A claim of this scale will attract intense scrutiny from insurers. Claims handlers are going to focus on whether every required security control was active, how end-of-life systems were managed, and the level of cyber training given to staff. Any hint of non-compliance or negligence could slash the payout, or see it denied altogether.

“These recent retail attacks are a clear sign that cyber risks are intensifying, and organisations still have weaknesses in their armour. Cyber insurers will be stricter with their cover, and organisations need to make themselves as insurable as possible. Cybersecurity measures like penetration testing, 24/7 threat monitoring and incident response measures, combined with adherence to frameworks like the NCSC Cyber Assessment Frameworks are great ways to make this happen.” Casey concludes.

Cyber attacks have cost UK businesses an estimated £44m in lost revenue over the past five years with over 50% of UK firms experiencing at least one attack during that period.

Insurance Business   |  FT   |  The Times   |  City AM  |  Prolific North  |   Business Live 

Imagge: Ideogram

You Might Also Read: 

The Growing Ransomware Crisis:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Evolving The CISO Role
Financial Services Institutions Must Protect Themselves From Downtime »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Genie Networks

Genie Networks

Genie Networks is a leading technology company providing networking and security solutions for optimizing the performance of large networks.

Horangi

Horangi

Horangi provides security products and services that enable the rapid delivery of Incident Response and threat detection for our customers who lack the scale, expertise, or time to do it themselves.

Neowave

Neowave

Neowave designs, manufactures and markets strong authentication solutions based on smart card components and digital certificates.

TOAE Security

TOAE Security

TOAE Security is a trusted cyber security consulting partner helping today's leading organizations protect their most important assets from evolving cyber threats.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

Vaadata

Vaadata

Vaadata are experts in ethical hacking. We secure your web, mobile and IoT platforms.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

Key Cyber Solutions

Key Cyber Solutions

Key Cyber is an IT consulting firm that specializes in agile software development services, program management and infrastructure services, cyber security and cloud and managed services.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Intel

Intel

Intel products are engineered with built-in security technologies to help protect potential attack surfaces.

Assured Clarity

Assured Clarity

Assured Clarity are a global consultancy, specialising in Risk Management and Data Privacy, through Education, Awareness and Training, throughout an organisation.

MiC Talent Solutions

MiC Talent Solutions

MiC Talent Solutions provides recruiting, direct hire, augmented staff, and professional service contracting solutions for organizations searching for minority cybersecurity talent.

Radiant Security

Radiant Security

Radiant Security offers an AI-powered security co-pilot for Security Operations Centers (SOCs). Reinforce your SOC with an AI assistant.

TisOva

TisOva

TisOva is an innovative cybersecurity startup dedicated to addressing the growing issue of online scams targeting students.

Graphiant

Graphiant

Graphiant’s Data Assurance service gives businesses end-to-end control and visibility into how data travels throughout the entire business network.