PR Lessons in Retail Cyber Crisis Comms

By Alexandra Butter

PR Lessons in Retail Cyber Crisis Comms

In the past few months, one of the UK’s most trusted retailers, M&S, has found itself in the middle of a very sophisticated cyber-attack that has brought online operations to a standstill - as well as compromised customer data. Weeks later, the retailer is still in recovery mode.
While the technical implications of the attacks have been devastating, they've also created a masterclass in crisis communications and shows just how important reputation management continues to be. While Marks and Spencer risks becoming a case study in reputational fallout and retailers around the world observe, what PR lessons can we take away from how they handled their cyber crisis?

Here are five key PR lessons and considerations:

1. Prepare as much as possible before a crisis hits
The speed and quality of M&S's initial response suggests they had prepared crisis communication templates and set PR protocols and processes in advance. It is always worth preparing pre-approved messaging templates for different breach scenarios to avoid delays in critical disclosures. Remember, businesses should always take the approach of - it's not a case of ‘if’ a cyber attack will take place - it is a matter of ‘when’. And the same approach should be applied to a supporting crisis comms strategy. 

2. Choose one single senior spokesperson to deliver the message
The decision in this instance to attribute all communication from M&S’ CEO Stuart Machin worked well. It provided consistency and demonstrated executive-level commitment to resolution by tackling communications head on. Having a single, senior spokesperson maintains the message, tone across all channels and this builds credibility and accountability.

3. Take stock and avoid setting false expectations and timelines
The retailer hasn’t actually committed to a specific timeline for full recovery - and this is a wise move given the complexity of any cyber incident. It's the last thing a business should commit to without thoroughly investigating the situation and a full resolution is clear. Missing a deadline you set is one sure way to come up against unwanted scrutiny. 

4. Leading with swift full transparency, but also minding the details
On the one hand, M&S has on the whole been transparent about the attack without divulging sensitive details that could compromise recovery efforts or encourage copycat attacks. This balanced approach maintains trust while protecting operational security.

However, a key lesson is the delay it took for M&S to divulge that customer data had been stolen. Customers are only now, weeks after the initial breach, learning the full extent of what happened and that is leading to a lot of uncertainty and speculation about the implications for customers.
It just goes to show that any lag in transparency risks damaging the trust M&S has worked hard to protect through its communication strategy. Communication needs to be consistent, timely - and an ongoing process. 
​
5. The road to recovery is a marathon and not a sprint
Recovering from a major cyber breach is a long-term journey that requires sustained and transparent communication effort. The M&S cyber attack reveals that even in the most challenging circumstances, effective PR can protect trust and corporate reputation. While the technical recovery continues, M&S in particular has demonstrated that crisis communications rooted in transparency, leadership, and empathy can mitigate reputational damage even when operations remain severely compromised.

Hiscox's latest cyber readiness report reveals that 47% of companies hit by cyber attacks in 2024 struggled to attract new customers - more than double the 20% that reported similar difficulties in 2023. With this in mind, and as we observe how the situation continues to unfold; the key takeaway for all businesses is that cyber crisis PR planning should be as high up on the priority list as the technical security measures. PR and comms teams in today’s digital business environment should be preparing well in advance for how to communicate when such a breach occurs.

The ongoing test for M&S now is whether they can keep up the quality and speed of their initial crisis comms strategy into the fourth week and how - and indeed if - they can rebuild confidence and trust once systems are once again operational.