Marks & Spencer Cyberattack: A Cautionary Tale for Namibia’s Business Leaders

The recent cyberattack on UK retail giant Marks & Spencer (M&S) should serve as a wake-up call for Namibian businesses and policymakers. 

A sophisticated hacking collective infiltrated M&S’s systems, crippling operations and exposing dangerous gaps in security. 

This cautionary op-ed examines how the attackers – known as Scattered Spider – exploited human and technical weaknesses, and why similar tactics could spell disaster for Namibian companies if we remain complacent. 

The lesson is clear: Cybersecurity must become a national priority before a Scattered Spider finds its way into Namibia’s digital infrastructure.

A WAKE-UP CALL

In late April 202, M&S was hit by a massive cyberattack that disrupted stores and online services for days. 

Contactless payment systems failed, online orders were halted, and about 200 warehouse workers were even told to stay home as the company scrambled to contain the breach. 

The uncertainty wiped an estimated £500 million off M&S’s stock market value within a week. 

This was not a minor IT glitch but a full-blown ransomware attack that brought one of Britain’s biggest retailers to its knees. 

The hackers behind it, a collective dubbed ‘Scattered Spider’, are the same group linked to attacks on MGM Resorts and Caesars Palace in the US. 

Their assault on M&S underscores how a determined cybercriminal group can infiltrate even well-resourced corporations, causing financial and reputational havoc.

SOCIAL ENGINEERING AT THE FRONT DOOR

How did Scattered Spider pull off such a breach? 

It didn’t start with high-tech wizardry, but with old-fashioned deception. 

Reports indicate that the attackers impersonated M&S employees in calls to the company’s IT help desk, convincing support staff to reset passwords and even disable multi-factor authentication (MFA) protections. 

In essence, a phone call tricked someone into opening the front door of the network. 

This technique – social engineering – is a favoured tool of Scattered Spider, which is adept at targeted phishing, MFA fatigue attacks, SIM-swapping, and other con-artistry to dupe real employees into handing over credentials or access.

It’s a stark reminder that humans are often the weakest link. 

In fact, cybersecurity experts estimate that 95% of successful cyberattacks globally involve some form of human error or interaction. 

Whether it’s clicking a malicious link or trusting a fraudulent phone request, employee mistakes can unravel even the best technical defences. 

Namibia is no exception: 20–30% of phishing emails in Namibia are acted on by recipients – an alarming statistic that highlights the urgent need for better awareness. 

Scattered Spider’s success at M&S shows that a single well-placed scam call or email can ignite a cyber catastrophe.

TECHNICAL EXPLOITS

Once inside M&S’s network, the attackers wasted no time exploiting technical weaknesses. 

By February 2025 – months before the ransomware detonated – the intruders had quietly exfiltrated M&S’s Active Directory database (NTDS.dit). 

This database held password hashes for every employee and system account. 

Armed with those hashes, the hackers cracked passwords offline and gained valid credentials for a wide range of accounts. 

In essence, they stole the ‘keys to the kingdom’.

Using these credentials, the attackers moved laterally through M&S’s IT environment, accessing user workstations, servers, and network devices while evading detection by blending in with legitimate user activity. 

They escalated privileges until they had administrative control over critical systems. 

Notably, no software vulnerability was needed for this phase – the hackers turned M&S’s own systems and tools against it, a textbook example of abusing trust and access. (It’s suspected the initial foothold may have even come through a third-party IT service provider, illustrating the risks in supply chain and vendor access.) 

By April 24, the stage was set for the endgame.

In the final phase, the perpetrators deployed a ransomware payload known as ‘DragonForce’ onto M&S’s VMware ESXi servers. 

Overnight, virtual machines running core applications for online shopping, payment processing, and logistics were encrypted. 

The effect was immediate and far-reaching: M&S suspended all online orders (its website usually brings in roughly £3.8 million in sales per day), contactless payments in stores stopped working, and warehouse operations ground to a halt. 

Ransomware had turned a digital attack into a real-world business crisis. 

As one UK cybersecurity official noted, attacks like this are “becoming more and more common” and every organisation must be prepared. 

The M&S incident proves that a single breach can cascade into enterprise-wide paralysis, with costs easily reaching into the tens of millions of pounds.

COULD IT HAPPEN HERE? 

Many Namibian business leaders might read about M&S and think, “that’s a UK problem, not ours”.

But the **same threat vectors that hit M&S are present right here in Namibia – and in some ways, our organisations may be even more vulnerable. Namibia’s cybersecurity maturity remains low compared to global standards, and attackers could see us as a soft target. 

Consider the evidence: Over 1.1 million cyber incidents were recorded in Namibia between January and September 2024. We endured 2.7 million attacks in 2022 alone. 

These figures, from the Communications Regulatory Authority of Namibia (Cran) and other officials, underscore that we are already under siege in cyberspace. 

Multiple factors put Namibian businesses at risk. 

First, a lack of qualified cybersecurity professionals and the absence of updated cybercrime laws have left big gaps in our defences. 

Experts have pointed out that Namibia is only now working to finalise a comprehensive Cybercrime Bill and Data Protection law – until these frameworks are in place and enforced, many organisations operate in a Wild West of weak regulations and oversight. 

Second, awareness at the leadership level is lagging. 

As of 2020, only about 44% of Namibian management boards considered cyber threats a significant concern. 

That means over half of boards may still be underestimating the risk, allocating inadequate resources for security or failing to demand regular cyber updates. 

Third, our workforce isn’t widely trained in cybersecurity hygiene. 

Phishing awareness training is not yet routine in many companies, which is worrying given how frequently Namibian employees are targeted – and sometimes tricked – by scams. 

We’ve already seen local examples of breaches: less than six months ago, Telecom Namibia fell victim to a ransomware attack (attributed to the ‘Hunters International’ gang) that resulted in customers’ data being leaked on the dark web. 

Around the same time, a government health dashboard was compromised, exposing staff contact details. 

These incidents prove that global cybercriminals are willing and able to target Namibian institutions. 

Indeed, in the aftermath of the Telecom Namibia breach, analysts warned that the attack “likely put Namibia on the radar of global hacker groups, marking the country as an easy target”. 

In other words, if we do not shore up our defences, more attacks are almost inevitable.

INFRASTRUCTURE AND PRACTICES

Finally, consider our digital infrastructure and practices. 

Many Namibian networks – in both government and private sector – are not properly segmented or monitored, which means once an attacker gets in, they can roam widely. 

Cran’s latest report specifically urged local organisations to segment their networks to contain ransomware attacks, suggesting this basic best practice is often missing.

Routine security audits and incident response plans are also lacking in numerous firms, especially small and medium enterprises. SMEs are particularly at risk; globally, over 50% of cyberattacks target small businesses, and Namibia’s SMEs could be hit hard if they assume “we’re too small to be noticed”.

The reality is attackers often target easier, less-secure prey, regardless of size. 

All sectors in Namibia are exposed. 

As deputy ICT minister Modestus Amutse noted at a recent cybersecurity conference, “every sector is at risk of cyberattacks” and developing countries face special challenges in securing the digital economy. Namibia’s key industries – mining, energy, transportation, tourism, banking – are all becoming digitally connected, and thus attractive targets. A Scattered Spider-style attack here could just as easily start with a phony phone call to a local bank’s IT desk or a phishing email to a government clerk. We ignore that reality at our peril.

DISRUPTION, DISTRUST AND ECONOMIC DAMAGE

What would a Marks & Spencer-scale cyberattack mean for Namibia? 

The implications extend far beyond IT downtime – we would be looking at nationwide disruption, erosion of public trust, and significant economic losses. 

M&S’s ordeal provides a glimpse of the potential damage. 

They reportedly lost over £30 million (N$600+ million) in revenue in a matter of weeks because of business interruption. 

Now imagine a major Namibian company – or worse, a utility or government agency – being offline for days or weeks. 

For example, if a Namibian bank’s systems were locked by ransomware, customers could lose access to online banking, ATMs, and payment services.

The ripple effect on commerce would be immediate and intense. 

Or consider the tourism sector: A ransomware attack on a major tour operator or airline booking system at the height of holiday season could halt bookings, strand travellers, and cost millions in lost revenue. 

(In fact, ransomware is the most common cyberattack in Namibia and could “cripple industries such as tourism, retail and logistics”.)

Beyond the rands and cents, a cyber incident can deeply undermine public confidence. 

If people worry that their personal data isn’t safe with Namibian companies, they’ll hesitate to use digital services. 

Breaches erode trust not only in the affected organisation, but in our broader push toward a digital economy. 

For a country striving toward Vision 2030’s connected future, large-scale cyberattacks could set back digital adoption by breeding fear and mistrust. 

Investors, too, might think twice: Just as M&S’s share price plummeted, a serious breach at a Namibian firm could scare off partners or lead to stock devaluation for publicly traded entities. 

And we must not overlook the cost of recovery. 

Incident response, forensic investigations, replacing hardware, and strengthening systems post-breach is enormously expensive. 

Often, specialised experts have to be flown in, and systems can take weeks to fully restore. 

Smaller businesses might never reopen at all – globally, 60% of small companies shut down within six months of a major cyberattack.

In short, if a Scattered Spider-type attack struck in Namibia, the damage would be felt economy-wide. 

It could disrupt essential services (from power grids to hospital systems), cause widespread inconvenience, and diminish citizens’ faith in our institutions. 

We cannot afford such a scenario, especially as we work to modernise and attract investment. 

The time to act is now, before we experience a cyber disaster that could have been prevented.

STRENGTHENING CYBER RESILIENCE

The M&S attack and our own recent cyber scares make one thing abundantly clear: Namibia must invest in cybersecurity readiness – proactively, not reactively. 

Government agencies, private companies, and IT professionals all have a role to play in raising our defences. Here are some urgent steps and practical measures:

1. Fortify the Human Firewall – through training and policies. 

Given that humans are the prime targets, educating staff is arguably our best defence. 

Regular cybersecurity training for employees at all levels is a must. This includes awareness of phishing techniques, social engineering red flags, and what to do if something seems suspicious. 

Companies should run practical phishing simulations and drills, so workers learn to spot scam emails and fake calls in a safe setting. 

Clear policies should require independent verification for sensitive requests – for example, if IT support gets a call to reset a password or disable MFA, they must verify the person’s identity through a second channel. (It’s no coincidence that after the M&S breach, the UK’s National Cyber Security Centre urged all companies to review their help desk processes to prevent exactly these kinds of impersonation attacks.) 

By instituting rigorous verification steps and a culture of “trust but verify”, we can close the door that Scattered Spider so deftly walked through.

2. Strengthen Technical Controls and Infrastructure. We need to harden our systems so that even if attackers do get in, they can’t cause widescale damage. 

Key measures include: wider adoption of MFA on all sensitive accounts (and training staff not to approve unexpected MFA prompts); keeping software and systems up-to-date with security patches to close known vulnerabilities; and conducting regular vulnerability assessments and penetration tests to find and fix weaknesses. 

Critically, businesses should segment their networks – in practice, this means isolating critical servers so that a compromise in one department doesn’t grant access to everything. 

For instance, a breach in a guest Wi-Fi network should never allow an attacker to jump to a company’s finance database. 

Segmentation, along with robust firewalls and monitoring, can contain intruders before they wreak havoc. 

It’s also vital to secure and frequently back up data in offline or cloud vaults. 

If ransomware hits, having recent backups stored safely can make the difference between a bad day and a company-ending event. 

In short, basic cyber hygiene and architecture upgrades can drastically limit the blast radius of an attack.

3. Prepare for Incident Response – Don’t Be Caught Off Guard. Even the best defences cannot stop every attack, so organisations must prepare for the worst. 

Every company, no matter how small, should have an incident response plan: a playbook of what to do (and who to call) when – not if – a breach occurs. 

This plan should include technical steps (like isolating infected machines, changing passwords, activating backups) as well as communication strategies to inform customers, partners, and authorities. 

Conduct regular incident response drills just as you would a fire drill. 

The first hours of a cyber incident are chaotic; having a practiced plan can save precious time and limit damage. 

Businesses should also establish relationships with cybersecurity firms and maybe even consider cyber insurance for financial protection. 

An often overlooked aspect is public transparency and trust management: Hiding a breach is a mistake that can violate emerging regulations and shatter public confidence if (when) the truth comes out. 

A better approach is to respond swiftly and openly – Namibian consumers are more likely to forgive an incident if they see the company acted responsibly and learned from it.

4. Strengthen National Policies and Collaboration. Cybersecurity is not just an IT department’s problem; it’s a national security and economic issue. Policymakers should expedite the passage and implementation of the Cybercrime Bill and Data Protection Bill to provide a strong legal backbone for prosecuting cybercriminals and enforcing minimum standards. 

Regulations can push critical sectors (banks, telecoms, utilities) to meet baseline security controls and conduct audits. 

At the same time, the government and private sector must collaborate on threat information sharing. 

Industry-wide alerts and best-practice guidelines (like those from Namibia’s national cyber response team or Cran) should be regularly disseminated, so a tactic spotted at one organisation can be quickly communicated to all. 

We may even consider establishing a dedicated national Cybersecurity Centre akin to the NCSC in the UK – a hub to coordinate responses and guidance. 

Public awareness campaigns are also key: just as we educate about road safety, we should educate the public about cyber safety, encouraging basic steps like using strong passwords and being skeptical of unsolicited messages. Cybersecurity education initiatives, workforce development and incentives through NTA to train more local cybersecurity experts will help address the skills gap over the longer term.

5. Treat Cybersecurity as an Investment, Not an Expense. Finally, a mindset shift is needed in Namibia’s boardrooms and government offices. 

We must recognise that spending on cybersecurity is crucial insurance for our digital future. 

In the US and EU, businesses reportedly invest between 2% to 5% of their annual revenue on cybersecurity (roughly 6% of IT budgets). 

They do so because the cost of not investing is far greater – as M&S painfully learned. 

Namibian enterprises should similarly allocate budgets to security tools, expert staff, and training programmes. 

This includes small and medium businesses; no one gets a free pass from cyber threats. 

Yes, cybersecurity can be costly, but a major breach could cost orders of magnitude more in losses and recovery. 

Leaders should ask themselves: Can we afford not to spend on security? 

Forward-thinking companies around the world now treat cyber risk on par with financial or operational risk, integrating it into enterprise risk management. 

We need the same approach here. 

Strong cybersecurity isn’t just protection – it can be a market differentiator that boosts customer trust and enables the digital services that will drive Namibia’s growth.

THE TIME TO ACT IS NOW

The Scattered Spider attack on Marks & Spencer is more than a news story – it’s a warning. It showed how a clever adversary could leverage a single point of weakness – human trust – to dismantle a giant’s defences. 

If such an attack struck a major Namibian company or institution tomorrow, would we fare any better? The honest answer today is: Probably not. 

But with urgent action, we can change that answer. 

Namibia’s organisations, large and small, must not wait for a disaster to implement these lessons. 

We’ve already had our wake-up calls (from attempted bank scams to the Telecom Namibia breach) – now we must respond.

Cybersecurity is a shared responsibility. 

Business leaders need to champion it, IT professionals must continuously fortify it, policymakers should codify it, and every employee and citizen has to play their part in maintaining it. 

Our country’s aspiration to be a regional economic and digital leader depends on getting this right. 

We cannot build a modern digital economy on a foundation of weak security – the risks are too great. 

By learning from incidents like the M&S cyberattack and taking proactive steps, Namibia can bolster its cyber resilience. 

The cost of preparedness is far lower than the cost of complacency. 

Let’s heed the cautionary tale of M&S and ensure that when the next cyber threat comes knocking, Namibia’s door stays firmly shut.

– Job Angula is an information security professional and co-founder of Accelerate Advisory Services (Pty) Ltd.

.

In an age of information overload, Sunrise is The Namibian’s morning briefing, delivered at 6h00 from Monday to Friday. It offers a curated rundown of the most important stories from the past 24 hours – occasionally with a light, witty touch. It’s an essential way to stay informed. Subscribe and join our newsletter community.