Inside the M&S Cyberattack: Lessons in Mobile Security and Preventative Strategy

Key Takeaways

• SIM-Swap fraud is a serious and growing threat
• Outdated mobile security protocols are no longer enough
• Employee awareness and frontline training are crucial

Introduction

In April 2025, British retail giant Marks & Spencer (M&S) was hit by a highly sophisticated cyberattack, causing major disruption across its operations. Hackers took advantage of vulnerabilities in mobile security, specifically through SIM-swap fraud, to gain unauthorised access to internal systems. With cyber threats becoming more frequent and complex, incidents like this serve as a stark reminder for businesses to revisit and reinforce their cybersecurity strategies.

The Rising Tide of Cybersecurity Incidents

This isn’t an isolated incident. Since September 2024, the UK alone has seen over 200 cyberattacks deemed ‘nationally significant’—double the number in previous years. IBM’s 2024 Data Breach Report revealed that the average global cost of a data breach has now reached $4.88 million (approx. £3.9 million). And it’s not just individual cases—global cybercrime costs are expected to hit $10.5 trillion (approx. £8.4 trillion) annually by the end of 2025. Learn more about why cyber security is important for your business.

Understanding SIM-swap Fraud

SIM-swap fraud is a growing threat. It involves criminals tricking mobile providers into transferring a victim’s phone number to a SIM card they control. This gives them access to calls and texts, and often lets them bypass Multi-Factor Authentication (MFA) to break into personal or work accounts. As eSIMs become more common, these attacks are not only harder to spot but also more frequent.

The Impact on Marks & Spencer

For M&S, the consequences were both operational and reputational. Online orders were put on hold, Click & Collect services were affected, and customers faced delays that shook their trust in the brand’s digital capabilities. In-store, there were payment processing issues and stock management challenges. The financial impact was significant—over £30 million in losses, with a further £15 million in potential weekly damages during the worst period. More importantly, the attack exposed weaknesses in mobile security and employee verification, putting a spotlight on the broader need for improved cyber resilience in retail.

Expert Insights: Steve Tipper on Prevention

Steve Tipper, Mobile Consultant at Elite Group, shared his thoughts on how this could have been avoided:

“In incidents like this, the human element is often the weakest link. Implementing strong identity verification protocols for password resets, coupled with mobile device management (MDM) platforms, is critical. We also recommend using app-based authentication rather than SMS-based MFA to reduce reliance on vulnerable channels. Prevention is always cheaper and more effective than response.” – Steve Tipper, Mobile Consultant, Elite Group

Recommendations: Strengthening Mobile Security in a Modern Workplace

Taking lessons from the M&S breach, Steve recommends the following practical steps for businesses to boost mobile security, protect employees, and reduce risk:

• Raise awareness of SIM and eSIM fraud
  Make sure your team knows how these attacks work—especially the newer eSIM tactics. They should understand the risks of oversharing personal or company info online.
• Secure devices with strong authentication
  All company phones should have proper security—like PINs, fingerprint scans, or facial recognition. If a device gets lost, that security layer can make all the difference.
• Avoid SMS for Multi-Factor Authentication (MFA)
  SMS-based MFA is outdated and vulnerable. Use apps like Microsoft Authenticator or Duo, or go for hardware keys like YubiKeys for your most important systems.
• Treat lost mobile devices as urgent security incidents
  eSIMs can be reprogrammed remotely. If a device is lost, act fast: lock it, wipe the data, and deactivate the eSIM if possible.
• Standardise mobile usage policies
  Set clear rules around mobile use—what’s acceptable, how to keep devices secure, and what to do if something goes wrong.
• Leverage Mobile Device Management (MDM)
  MDM tools help keep your mobile fleet secure. They let you enforce encryption, push out updates, and wipe devices remotely if they’re compromised.
• Train frontline support teams to spot social engineering
  Support staff are often targeted. Make sure they know how to verify identities and can spot when someone’s trying to manipulate them.

How Elite Group Can Help

At Elite Group, we work closely with organisations to improve mobile and digital security. Our team offers assessments, MDM platforms, endpoint protection, and strategic advice tailored to your setup. We’re here to help you stay secure without compromising on performance.

Conclusion

The M&S cyberattack is a wake-up call for any business relying on outdated security methods. Cyber threats aren’t going away, but with the right partner and proactive measures, you can stay ahead. If you’re ready to protect your mobile estate and strengthen your defences, speak to Elite Group today.