Supply chain hacks are surging — major breaches hit Marks & Spencer, NHS England
The Financial Times reported that 30% of nearly 8,000 cyber incidents in 2024 came through third-party suppliers. That was double the share in 2023.
Marks & Spencer
Marks & Spencer said in April 2025 that a supplier system was hacked. Online orders, gift card services, and food logistics were disrupted. The company estimated a £300 million profit hit.
On July 1, Chief Executive Stuart Machin said most of the impact would be over by August. By mid-August, Click & Collect and returns were restored, though some product delays continued.
NHS England / Synnovis
Synnovis, a pathology provider for London NHS trusts, was hit by ransomware in June 2024. NHS England said thousands of appointments were postponed when diagnostic and transfusion services were taken offline. The Qilin group claimed the attack.
In June 2025, UK officials confirmed the incident contributed to a patient’s death due to delayed blood test results.
Regulatory response
The European Union’s NIS2 Directive came into force in 2024, extending rules to more service providers and requiring stronger supply chain oversight.
In the UK, a Cyber Security and Resilience Bill has been drafted to replace the 2018 NIS regulations. It brings managed service providers and data centres into scope and sets stricter reporting rules.
Source(s)
- Marks & Spencer cyber attack: what happened and what data was stolen – Cyber Management Alliance
- Marks & Spencer suffers major cyber attack, warns of £300m profit hit – Associated Press
- NHS pathology provider Synnovis hit by ransomware attack – NHS England
- Qilin ransomware group publishes data after NHS Synnovis attack – Financial Times
- NIS2 and the UK Cyber Resilience Bill: what you need to know – Infosecurity Europe
- Modernising UK cyber regulation: implications of the Cyber Security and Resilience Bill – Darktrace
- UK NHS rolls out voluntary cyber charter for suppliers – Bank Info Security
