Inside the Breach: What M&S and the Harris Federation Reveal About UK Cyber Vulnerabilities

Leave a Reply

Two senior leaders, Sir Charlie Mayfield, former John Lewis chairman, and Sir Dan Moynihan, CEO of the Harris Federation, joined BBC Radio 4’s Today Programme on 1 May 2025 to discuss the impact of recent cyber attacks on Marks & Spencer, the Co-op, and UK schools. Their stories offer rare insight into how institutions respond to major breaches and what it really takes to recover.

Summary

This article captures key points and direct quotes from the BBC interview, in which Sir Charlie Mayfield outlined the commercial and reputational fallout for M&S and the wider retail sector, while Sir Dan Moynihan recounted the operational breakdown his schools faced after a 2021 ransomware attack. Both made clear that cyber resilience is not about perfect defences, it’s about preparation, vigilance, and leadership under pressure.

BBC Radio 4’s Today Programme, 01 May 2025

This article was inspired by the recent cyber attacks across UK retail, specifically Marks & Spencer’s and the Cooperative, plus the Harris Federation (of Schools), as reported on BBC Radio 4’s Today Programme (01/05/2025).

Featuring

  • Amol Rajan (Presenter)
  • Sir Charlie Mayfield (Former Chairman, John Lewis)
  • Sir Dan Moynihan (CEO, Harris Federation)

Transcript

Amol Rajan:
You still can’t shop online at Marks and Spencer this morning, following what’s been euphemistically described as a cyber incident last week. Click-and-collect orders have been suspended. Some shelves in some stores are going empty. Meanwhile, the Co-op has been forced to close parts of its IT network following a cyber attack. The National Cyber Security Centre is urging other retailers to be vigilant. The Metropolitan Police are investigating, and I’ve been speaking to Sir Charlie Mayfield, former chairman of John Lewis. I asked him what impact an attack like this will have.

Sir Charlie Mayfield:
Clearly it’s going to affect sales, and it’ll also be affecting the operations of the business in terms of the cost they’re incurring to fix it. I mean, the team at M&S will be working around the clock to resolve this. And so it’s pretty all-consuming.

Amol Rajan:
And how has the rise of online shopping in the last, particularly in the last decade or two—services like click and collect—transformed the business of retailers? Because it’s very much where they’re growing, isn’t it?

Sir Charlie Mayfield:
Online shopping has completely transformed retail. But technology really has changed so many things in our lives that it’s completely changing the business models. And of course, as technology becomes more and more pervasive, the risk of this kind of attack sort of rises with it.

Amol Rajan:
Do you think there’s a limit to how resilient a business like M&S can be? Because in the end, when you’ve got exceptionally determined hackers, you can’t ever be totally safe.

Sir Charlie Mayfield:
Yeah. I mean, I think these attacks are happening a lot more than people think. I looked at the NCSC website and they quote that 76% of large organisations had some kind of cyber attack in the last year. So this is very, very prevalent. Most of those don’t get anything like the coverage that a household name like M&S gets. I’ve got great sympathy for the M&S team. They’ll be working really hard on this. If there’s one good thing that comes out of it, it reminds everybody of just how common these things are and therefore the importance of vigilance. Your point about resilience is the correct one. You can’t really ever be fully resilient. What you have to be instead is thinking about how to constantly improve your resilience, because you’re always vulnerable. All businesses are vulnerable to this kind of attack.

Amol Rajan:
And why is it, do you think, that retailers—we’ve heard an attack on Co-op—why are they being targeted?

Sir Charlie Mayfield:
Well, they’re criminals, so they’re targeting organisations they think they can encourage to pay them some money. They go after organisations that they can cause disruption to—organisations that, they hope, will try and take steps to remediate the action. It’s as simple as that. They’re after disruption and they’re after data with which they can effectively blackmail organisations into paying.

Amol Rajan:
With your old chairman hat on—if you were in the boardroom at M&S this morning—what would you be saying to the team? What would you be saying to the chief exec about how to handle this both operationally and in terms of comms and communication with the public and customers?

Sir Charlie Mayfield:
You can see from what they’ve said publicly that they are absolutely on to this. It’ll be a very difficult situation. I know Archie, and he’ll be very supportive of his senior team. He’ll be working flat out to get this sorted. Your concerns are obviously the disruption to the business and to your operating systems, and also absolute concern about making sure you’re looking after customer data. That will be a number one consideration.

Amol Rajan:
Final thoughts, Sir Charlie?

Amol Rajan:
Malicious actors have very long routes. The trouble is in dealing with this sort of thing and trying to, as you say, build some resilience in the future—being vigilant—you’ve got to be patient. Above all, this is not the sort of thing that you can switch on and off in a 24- or 48-hour period.

Sir Charlie Mayfield:
Totally. And businesses are spending a lot of money on cyber resilience. This is a cost to businesses that everybody’s incurring. This kind of incident will simply reinforce the importance of that kind of investment.

Amol Rajan:
That was Sir Charlie Mayfield, former chair of John Lewis. Let’s turn now to Sir Dan Moynihan, who’s senior executive, principal and CEO of the Harris Federation. Sir Dan, good morning.

Sir Dan Moynihan:
Good morning, Amol.

Amol Rajan:
So you were hacked in 2021. Do you know who did it and why?

Sir Dan Moynihan:
We were hacked in 2021 by a group of Russian hackers called REvil, and their purpose was to blackmail us into paying $4 million in cryptocurrency within 10 days. And if we didn’t pay within 10 days, they wanted $8 million. Remember, we’re a group of 55 schools, mainly educating disadvantaged young people. We’re not a financial institution, but there was no morality on the behalf of these Russian hackers. It was entirely a criminal enterprise.

Amol Rajan:
How did you respond?

Sir Dan Moynihan:
The hack meant we lost access to teaching materials, lesson plans, registration systems. Our phone systems went out. We lost medical records, fire systems. In some schools, we weren’t able to pay bills. We couldn’t pay our staff. It was an absolute nightmare.

We approached a firm of cyber specialists who had a hostage negotiator, would you believe, who took on the persona of an inexperienced young school IT person, pretended not to know what was going on, and took up negotiations with these people. Our purpose was to delay for as long as possible.

The Russians had stolen data from us. They didn’t tell us what they’d stolen, but they threatened they’d put this stuff up on the dark web and cause us great embarrassment. Secondly, they’d locked down our system. They’d encrypted our data. So we wanted to delay them publishing whatever they had while we rebuilt our systems. It took us about three months to get back to where we started, and it cost us about £750,000.

Amol Rajan:
Absolutely extraordinary story. What’s your advice?

Sir Dan Moynihan:
I would imagine that M&S at the moment don’t know what’s been infected. We had some servers that were encrypted, and as soon as this stuff gets into your system, it moves laterally. It tries to copy itself everywhere. So your first response is to switch everything off because you don’t know where it is. They’ll be working incredibly hard to try and clean all of their systems. We had 30,000 devices that had to be individually cleaned. They won’t know what data has been stolen.

We were clear from the beginning: we were not going to pay. The money we have is for disadvantaged young people. Secondly, had we paid, we’d have opened the door for other school groups to be attacked.

So my advice to M&S is: I’m sure they’re working round the clock cleaning their system. They’ll be worried about the data that’s been stolen. It’s easy for me to say, but I’d say: don’t pay.

Amol Rajan:
Sir Dan Moynihan, senior executive principal and CEO of the Harris Federation, thank you very much indeed, and best of luck with the rest of the term.

Conclusion

From supermarkets to schools, the cyber threat is no longer a hypothetical, it’s happening in real time to critical systems and frontline staff. The stories shared on Today underscore a simple truth: resilience is not a static defence; it’s a continuous process of learning, adapting, and leading through disruption. As Mayfield put it, “You can’t ever be fully resilient… You have to be constantly improving.” And as Moynihan showed, refusing to pay and rebuilding under pressure requires both technical resolve and moral clarity.