Key Takeaways
1. In 2024, 30% of cyber incidents were linked to third-party suppliers, doubling from 2023.
2. Marks & Spencer’s supplier system breach in April 2025 caused significant disruptions and an estimated £300 million profit loss.
3. Recovery from the Marks & Spencer breach was expected by August 2025, with some services resumed but ongoing product delays.
4. A ransomware attack on Synnovis in June 2024 led to postponed NHS appointments and was linked to a patient’s death due to delay in blood test results.
5. The EU’s NIS2 Directive and the UK’s upcoming Cyber Security and Resilience Bill aim to enhance regulations and oversight of supply chains and service providers.
The Financial Times highlighted that in 2024, 30% of nearly 8,000 cyber incidents were traced back to third-party suppliers. This figure represents a significant increase, doubling from the previous year’s share in 2023.
Marks & Spencer’s Supplier System Breach
In April 2025, Marks & Spencer announced that their supplier system had been compromised. This breach caused disruptions in online orders, gift card services, and food logistics. The company estimated that the incident would lead to a profit loss of around £300 million.
Recovery Timeline
On July 1, Chief Executive Stuart Machin stated that the majority of the impact would likely be resolved by August. By mid-August, services like Click & Collect and returns were back in operation, although some products still faced delays.
Ransomware Attack on Synnovis
In June 2024, Synnovis, a pathology service provider for London NHS trusts, fell victim to a ransomware attack. NHS England reported that thousands of appointments had to be postponed due to the shutdown of diagnostic and transfusion services. The Qilin group claimed responsibility for the attack.
Serious Consequences
By June 2025, UK officials confirmed that this incident had a tragic consequence, contributing to a patient’s death because of delayed blood test results.
New Regulations
The European Union’s NIS2 Directive became effective in 2024, broadening the rules to include more service providers and mandating improved oversight of supply chains.
Cyber Security Measures in the UK
In the UK, a new Cyber Security and Resilience Bill is being prepared to replace the NIS regulations from 2018. This proposed legislation will include managed service providers and data centers under its scope, along with stricter rules for reporting incidents.
Leave a Reply