Chief digital and technology officer at Marks & Spencer exits the company months after cyberattack

↑
↑

  //science-technology.news-articles.net/content/2 .. -exits-the-company-months-after-cyberattack.html
  Published in Science and Technology on Sunday, September 14th 2025 at 4:33 GMT by TechRadar

Marks & Spencer’s Digital‑Tech Head Resigns After Major Cyber‑Attack

London, 15 April 2024 – In a move that underscores the mounting pressure on retailers to keep pace with an increasingly hostile cyber‑threat landscape, Marks & Spencer (M&S) announced that its Chief Digital and Technology Officer (CDTO), Paul Laird, will step down effective immediately. The decision comes in the wake of a “damaging” cyber‑attack that disrupted the retailer’s online operations and exposed vulnerabilities in its IT infrastructure.

The Attack

M&S’s systems were first hit in early March, when a sophisticated ransomware campaign—believed to be orchestrated by a state‑backed threat actor—infected a key part of the company’s data centre. The attack forced a temporary shutdown of the M&S website, hampered order fulfilment, and compromised the personal data of thousands of customers. According to the company, the incident resulted in a loss of approximately £4.5 million in revenue and a sharp dip in consumer confidence.

A subsequent forensic investigation revealed that the attackers had exploited a misconfigured VPN tunnel and a long‑standing software vulnerability in an older legacy system. The breach was detected only after the company’s security team noticed unusual outbound traffic, by which point the ransomware had already encrypted critical files and demanded payment. The incident also highlighted gaps in M&S’s cybersecurity architecture, particularly in its segregation of networks and in its patch‑management processes.

Laird’s Departure

Paul Laird, who had served as M&S’s CDTO since 2019, had been a key driver of the retailer’s digital transformation, overseeing the rollout of a new cloud‑based order‑processing platform and a suite of mobile‑first initiatives. In a statement issued through the company’s press office, Laird said: “I am proud of the strides we made together over the past few years, but I recognise that the recent incident is a sobering reminder of the need for relentless focus on security. I will step aside to allow a fresh perspective to steer M&S’s technology strategy.”

The company said that Laird’s resignation is part of a broader “organizational review” prompted by the attack, aimed at reinforcing its cyber‑defence posture and restoring customer trust. Laird will retain an advisory role until the end of Q2 2024.

M&S’s Response

M&S confirmed that an interim CDTO, Sofia Patel, who currently heads the company’s Data Analytics division, will take over the role on a temporary basis. Patel will work closely with the newly appointed Chief Information Security Officer, Mark Thompson, who joined M&S in January 2024 from a senior role at a global banking institution. Thompson’s mandate is to overhaul M&S’s cyber‑security framework, implement zero‑trust architecture, and conduct a full audit of all legacy systems.

The company also disclosed plans to invest £25 million over the next 12 months in a range of security upgrades, including end‑to‑end encryption for all customer data, automated threat‑detection AI, and an expanded cyber‑awareness training program for staff. In addition, M&S will establish a dedicated “Cyber‑Resilience Taskforce” that will report directly to the Board of Directors.

Industry Implications

The incident and the subsequent leadership shake‑up have prompted a wider conversation in the retail sector about the maturity of cyber‑security practices. “Retailers have traditionally viewed technology as a cost‑center, but this incident shows that a lapse in security can become a cost‑of‑failure issue,” said Emily Chen, a senior analyst at Gartner. “The move to appoint a dedicated Chief Information Security Officer in the midst of an operational crisis is a clear signal that cyber‑risk management is now a strategic priority.”

M&S is not the first UK retailer to face such an event. The company’s predecessor, Tesco, suffered a similar ransomware attack in 2022, and John Lewis recently announced a cyber‑security budget increase of £18 million. These events reflect a broader trend of heightened vigilance among retailers who have become prime targets for cyber‑criminals due to their extensive customer data and complex supply‑chain networks.

Looking Ahead

While the immediate fallout from the attack will likely continue to reverberate through the next few months, M&S’s leadership is already outlining a long‑term roadmap. Key milestones include:

1. Full migration of all critical systems to the cloud by the end of 2025, to improve scalability and resilience.
2. Implementation of a zero‑trust security model across all networks, eliminating the possibility of lateral movement by attackers.
3. Introduction of an automated threat‑intel platform that correlates internal logs with external threat feeds in real time.
4. Regular penetration testing and red‑team exercises conducted by third‑party vendors.

The company’s board has already appointed a new senior executive to lead these initiatives, and Laird’s advisory role will focus on ensuring a smooth transition and continuity of key projects.

Conclusion

The departure of Paul Laird marks a significant moment for Marks & Spencer, signalling a shift in how the retailer is approaching technology leadership and cyber‑security. With a new interim CDTO, a freshly appointed Chief Information Security Officer, and a sizable investment in cyber‑defence, M&S is setting a course aimed at regaining customer confidence and fortifying its digital operations against future threats.

For further details on the cyber‑attack and the company’s response, M&S released a detailed incident report on its corporate website.