The M&S Cybersecurity Breach: Understanding the Human Risk and Staying Protected

In May 2025, Marks & Spencer (M&S) joined the growing list of high-profile names impacted by cybercrime. The breach — part of a wider attack on delivery partner Snappy Shopper — has exposed personal data of thousands of customers, triggering a wave of phishing attempts, scam messages, and public concern.

As a business, while this breach may not directly impact your operations, it highlights a crucial point: cyber threats don’t stop at the office door. They follow your employees home — and what affects them personally can create ripple effects in the workplace.

This article is designed as a shareable resource you can pass to your team, helping them understand the risks, avoid scams, and stay cyber safe in both their personal and professional lives.

What Happened: A Quick Recap

The breach originated from Snappy Shopper, a third-party delivery partner used by M&S and Co-op. The compromised data includes:

• Names
• Phone numbers
• Email addresses
• Delivery addresses and past order information
• Partial card details

With this data now in the hands of criminals, a wave of scams has already begun targeting affected customers, including phishing emails, fake delivery texts, and scam calls posing as support representatives.

The Risk: More Than Just Data

For cybercriminals, data like this is gold. Even when it doesn’t include passwords or full card details, it allows them to:

• Craft highly personalised phishing scams
• Impersonate trusted brands or delivery services
• Target victims through multiple channels (email, SMS, phone)
• Steal further information or trick users into making payments

This is what makes the human element the weakest link in cybersecurity — and why attacks like this can easily jump from personal inboxes to workplace threats.

What Your Team Should Know

As attackers leverage the exposed data to reach out directly to M&S customers, it’s vital to remind your employees (and their families) how to stay safe. Encourage your team to:

1. Stay alert to unexpected messages from M&S, delivery firms, or financial institutions.
2. Avoid clicking links in unsolicited texts or emails — instead, go directly to the official website.
3. Double-check the sender of any email before engaging.
4. Never share sensitive information like passwords or payment details over the phone.
5. Enable two-factor authentication (2FA) wherever possible.
6. Report scams to Action Fraud or the relevant national authority. 

These habits won’t just protect your team in their personal lives — they help build cyber awareness that carries over into the workplace.

Why This Matters for Businesses

While this breach didn’t happen in your organisation, it still poses an indirect risk. Human-targeted attacks like phishing are the top cause of workplace breaches, and attackers are increasingly blurring the lines between personal and professional exploitation.

When your team learns how to spot a scam at home, they’re more likely to do the same at work.

Share This With Your Team — And Strengthen Your Human Firewall

usecure helps businesses like yours reduce human cyber risk with automated training, phishing simulations, and user risk monitoring. But we also believe in empowering people outside of work.

Share this blog with your team as a simple way to help them stay secure in their personal lives — and build safer habits that benefit your business too.