Earlier this year, Marks & Spencer faced a serious cybersecurity breach when CEO Stuart Machin and seven senior executives were directly targeted in a ransomware attack. The perpetrators, a group known as Scattered Spider, infiltrated the company’s core systems and brazenly announced their success in a provocative email sent straight to the executive team.
The message was intentionally mocking and calculated. The attackers demanded negotiations via a dark web portal, claiming they had encrypted access to internal systems. They also revealed that they had compromised sensitive data belonging to nearly 9.4 million customers. This incident went far beyond a typical IT disruption, it sent shockwaves throughout the entire corporate structure.
A new tactic: targeting Executives
What makes this attack particularly disturbing is its personal nature, it didn’t just target systems; it targeted people. This was more than a breach of corporate infrastructure; it was a direct strike against the leadership at the heart of the business.
Senior executives are now becoming prime targets. These high-level leaders often lack the training to recognise sophisticated phishing tactics and may feel pressured to respond quickly, making them especially vulnerable. This incident underscores a critical truth: when cyber security is treated solely as an IT concern, the C-suite becomes an exposed and attractive entry point for attackers.
A leadership responsibility
Too many organisations still relegate cyber defence to the realm of back-end technical operations. But when attackers target the CEO’s inbox directly, the issue escalates into one of leadership, governance, and strategic communication.
In response to the breach, Marks & Spencer has launched a comprehensive internal investigation and is co-operating closely with regulatory authorities. The Information Commissioner’s Office has been notified. While the company has not disclosed whether a ransom was paid, it has committed to reinforcing its cybersecurity posture. This includes enhanced security training for executives and tighter controls over third-party vendors.
What can your organisation learn from this?
This isn’t just a cautionary tale, it’s a wake-up call. Cyber criminals no longer need to break down digital walls when a single human vulnerability can open the front door.
Businesses must fundamentally rethink their approach to security. That means educating boards, rigorously stress-testing defences, and holding partners to higher standards. When senior executives become the primary targets, the threat is no longer just technical, it’s existential.
Request your free Cyber Strategy call...
Understand your potential risks in as little as 30 minutes! Our strategy call can give you an insight into your current security posture, put a spotlight onto your vulnerable areas and give you clear next steps on what to do, all with no obligation.
No sales pitch. No spam. Just an honest conversation about your situation.
By submitting this form you agree to allow D2NA to contact you via the details provided in accordance with our Privacy Policy.