Rachel Higham, the Chief Digital and Technology Officer (CDTO) at Marks & Spencer (M&S), is stepping down and taking a career break after just over two years with the company, following a severe cyberattack earlier this year that crippled M&S’s online and store-facing digital operations. The attack—linked to the Scattered Spider group—forced M&S to shut down online ordering, suspend “click and collect” services, disrupt contactless payments, and resulted in stolen customer data (though payment credentials and passwords were reportedly not taken). The estimated financial hit: about £300 million in lost operating profit for the 2025-26 year, with the company saying it hopes to recoup part of the loss through insurance and cost cuts.
Sources: Computer Weekly, Reuters, Cybernews
Key Takeaways
– Leadership accountability in cyber incidents: Even where a person isn’t explicitly blamed, major breaches—especially those that impact operations and finances heavily—often lead to leadership changes or transitions.
– Third-party risk remains a core vulnerability: The attack reportedly took advantage of a third-party contractor via social engineering rather than exploiting a direct technological weakness, highlighting that vendor and partner security is just as critical as internal defenses.
– Cost of cyber disruptions is massive and multifaceted: The financial impact isn’t only immediate loss of sales but also reputational damage, customer trust erosion, operational disruption (online orders, click & collect, payments), system recovery costs, and long-term transformation needs. Insurance and internal reforms help, but they rarely cover all dimensions.
In-Depth
In early 2025, Marks & Spencer (M&S), a stalwart of Brit-retail, suffered a grave cyberattack that rattled not just its IT systems but its bottom line and public image. The breach, tied to the hacking collective Scattered Spider, struck through a third-party contractor and used social engineering to gain access—underscoring that even large firms investing in technology can be undone by human vulnerabilities.
Once inside, attackers forced M&S to take preventive and reactive steps: shutting off online ordering, disabling click-and-collect, restricting contactless payments, and even dealing with stock issues in stores because underlying systems were disrupted.
From a financial standpoint, M&S estimates the cost at around £300 million of lost operating profit for the 2025-26 fiscal year. Though some of that may be offset through insurance and operational efficiencies, the gap is significant. The incident came at a time when M&S was already under pressure to modernize its digital operations and strengthen its supply chains and vendor networks.
In September 2025, Rachel Higham announced she would step down from her role as Chief Digital and Technology Officer, citing a career break. While company statements have been supportive—calling her “a steady hand and calm head at an extraordinary time”—the timing naturally raised questions about whether she was bearing institutional accountability for the breach. Higham had only been with the company for a little over two years. Malfunctions and delays caused by the breach made customers, investors, and partners watch closely.
The leadership reshuffle that followed is telling: Sacha Berendji, already a veteran in the company, has taken charge of digital & tech functions in addition to his existing duties in property and store development. Thinus Keeve, the retail director, will now report directly to the CEO. These moves show M&S aiming to centralize responsibility and perhaps flatten oversight to respond more quickly to crises.
More broadly, the M&S case serves as a cautionary tale for any business undergoing digital transformation. Robust cybersecurity strategies must live not just in code and firewalls but in contracts, in training, in awareness of social engineering, and in constant evaluation of the weakest link—often human or third-party. For shareholders and consumers alike, resilience and transparency now matter as much as innovation and service.
As M&S works to recover—bringing services back online, assessing ongoing risks, and rebuilding trust—other retailers will be looking over their shoulder: how secure is your vendor chain? How quickly can your systems be restored? And when disaster strikes, who in the leadership team is seen as responsible?
In the end, Higham’s departure may be just one of many consequences, but the real takeaway is the reinforced need for organizations to treat cybersecurity not as an IT problem, or a back-office issue, but as a core business risk that demands executive ownership, investment, and honest accountability.