In February 2025, a threat actor associated with the Scattered Spider collective gained initial access to the network of Marks and Spencer, one of the UK’s most recognizable retailers, through Tata Consultancy Services, a third-party IT services provider with a decade-long relationship with the company. The initial compromise was not detected for weeks.
On April 24, 2025, the attackers deployed DragonForce ransomware across M&S’s VMware ESXi hosts. Virtual machines were encrypted. Automated stock ordering systems went offline. Warehouses reverted to manual operations. Online sales, representing roughly 3.8 million pounds in daily revenue, were suspended entirely for 46 days.
Pre-tax profits fell from £391.9 million to £3.4 million in the six months following the incident. Incident response and recovery costs reached £82.7 million. Over £1 billion was wiped from M&S’s market value in the weeks that followed. In September 2025, the company’s Chief Digital and Technology Officer stepped back from her role.
The attackers did not breach M&S directly. They compromised a trusted vendor, inherited that vendor’s access, and moved laterally through an environment that had no reason to treat them as a threat.
That is the structural problem with supply chain attacks. By the time your SOC flags anomalous activity, the attacker has already been inside for weeks, operating under credentials your systems recognize and trust.
The breach did not start inside your walls. But the moment it crosses into your environment, it is your incident. Your liability. Your board meeting. Your headline.
What happens in the 72 hours after that moment determines everything.
You Did Not Cause This Incident. You Still Own It.
Supply chain attacks have become the second most common initial access vector in 2025. Third-party vendor and supply chain compromise is now the second costliest breach type, averaging $4.91 million per incident.
The scale of the problem has doubled in a single year. Third-party breaches now account for 30% of all data breaches, a 100% increase year over year, according to the Verizon Data Breach Investigations Report 2025.
Detection is slow. Response is slower. Supply chain compromises took a combined 267 days to detect and contain last year. By that point, the attacker has had months of uncontested access inside your environment.
The M&S breach follows this pattern precisely. The initial TCS compromise happened in February 2025. The ransomware detonated in April. That is a nine-week dwell period during which the attacker moved freely through a trusted, credentialed environment.
Here is the problem that no vendor questionnaire solves. When a supplier with legitimate access to your systems is compromised, the attacker inherits that trust. Your perimeter controls do not flag the activity. Your SIEM does not alert on it. The connection looks exactly like every other authorized vendor session.
As David Manzanero Iglesias, head of Cipher’s x63 Unit, put it: “Adversaries no longer need to directly breach a large company. They only need to compromise one of their technology providers to scale the impact silently and massively.”
When the breach crosses into your environment, the regulatory clock starts. The press does not write about the vendor. Customers do not call the vendor. The board does not summon the vendor’s CISO.
They call yours.

The 72-Hour Window. And Why Most Organizations Waste It.
In 2025, the average time from initial access to lateral movement dropped to 34 minutes. The fastest recorded intrusion reached lateral movement in just 4 minutes — an 85% acceleration from the year before.
You have 72 hours to contain, assess, and communicate. The attacker needed minutes to get in.
Here is how to use that window correctly.
Hour 0 to 6: Confirm and Contain
This is the most consistently mismanaged phase of any supply chain incident. The instinct is to investigate before acting. That instinct costs hours you cannot recover.
Most organizations spend the first six hours in a confirmation loop: Is the breach real? Is it our problem or the vendor’s? Who has the authority to escalate? Meanwhile, the attacker continues moving laterally through a trusted environment, uncontested.
The correct posture is to treat a credible indicator of compromise as a confirmed incident and act immediately. Confirmation runs in parallel with containment. It never precedes it.
What needs to happen in this window:
- Declare an internal incident. Even if unconfirmed. This activates response protocols, assigns authority, and starts the clock on legal and regulatory obligations.
- Suspend all integrations tied to the affected vendor. API connections, OAuth tokens, shared credentials, and any third-party access linked to the compromised supplier. In the M&S breach, a trusted TCS connection was the entry point. Trusted is not the same as safe during an active incident.
- Activate a single incident commander. One person. Clear authority. No committee. Decentralized response in the first six hours is one of the most common failure patterns in supply chain incidents.
- Preserve forensic integrity immediately. Log retention, evidence handling, and chain of custody for affected systems must be established now. Missing logs due to data retention issues doubled year over year in 2025, largely driven by firewall appliances with default retention of only seven days. What you can prove later depends entirely on decisions made in this phase.
Hours 6 to 24: Assess and Communicate
This is the most politically dangerous phase. Partial information is now available. Pressure is arriving from every direction simultaneously. Legal wants an exposure assessment. The board wants a briefing. Customers are asking questions. The vendor may have issued a statement that contradicts your internal findings.
The risk in this phase is not inaction. It is a premature or uncoordinated action.
- Establish a single source of truth. One document, owned by the incident commander, updated in real time. No informal Slack threads making consequential decisions.
- Map your exposure, not the vendor’s. What data, systems, and customer records were accessible through the compromised integration? That scope defines your liability. Not the vendor’s internal assessment of their own breach.
- Engage external counsel before communicating externally. Attorney-client privilege attaches the moment counsel is retained. Communications drafted and sent before that point are discoverable. This is a decision that cannot be corrected retroactively.
- Notify deliberately and in the correct order. Under GDPR, organizations must notify regulators within 72 hours of becoming aware of a breach. NIS2 and sector-specific frameworks carry their own timelines and requirements. The order, timing, and wording of notifications carry legal consequences. Do not improvise this.
The communication issued to your board and the communication issued to affected customers are not the same document. They should not be drafted simultaneously, by the same team, without legal review.

Hours 24 to 72: Investigate and Stabilize
Immediate containment is in place. First notifications have gone out through appropriate channels. Now the sustained work begins. This is where most organizations hit a wall. Their IR capacity was built for a sprint. Supply chain incidents require a three-day sustained operation.
- Conduct full kill chain forensics. How did the attacker move from the vendor’s environment to yours? What was the initial access vector, the dwell time, and the lateral movement path? In the M&S case, the attacker had nine weeks of undetected access before ransomware was deployed. Understanding that full timeline is not optional. It determines both the legal defense and the remediation scope.
- Get vendor evidence in writing. You need their logs, their timeline, and their written disclosure of what systems were affected and when. Verbal assurances are not evidence. This documentation will matter in litigation and regulatory review.
- Make deliberate business continuity decisions. What integrations stay suspended? What manual workarounds are live? What is the operational cost per day and who is authorized to accept it? These decisions need an owner and a documented rationale.
- Establish a stakeholder communication cadence. Daily internal briefings on confirmed facts and open questions. External updates on a controlled schedule with legal review. No surprises for the board. No silence for customers.
One critical point for this phase: stabilization is not resolution. In 2025, 88% of ransomware payloads were deployed during non-business hours. A second threat actor claiming access to the same exfiltrated data is not a hypothetical. Declaring an incident closed before the full scope is confirmed creates the conditions for a second crisis built on top of the first.
The Real Problem Is Not the Breach. It Is the Plan You Never Stress-Tested.
Every organization with significant vendor relationships has a third-party incident response plan documented somewhere. Very few have tested it under conditions that resemble a real supply chain event.
Not a clean tabletop exercise with cooperative participants and full system visibility. A real scenario: a vendor that stops responding, a legal team paralyzed by liability exposure, a board demanding answers on a two-hour cycle, and an IR team making critical decisions on four hours of sleep.
The M&S breach did not fail at the technical layer. The attack succeeded because Scattered Spider exploited human factors, specifically social engineering of IT helpdesk staff, to gain initial access through a trusted third-party provider. The gap was not in the firewall. It was in the process.
That gap exists in most organizations. And it only becomes visible during an active incident, which is the worst possible time to discover it.
Three questions every CISO should be able to answer before an incident occurs:
- Can you name your incident commander right now, in under ten seconds?
- Do your vendor contracts include explicit rights to forensic data, logs, and breach timelines in the event of a compromise?
- Has your communications team ever drafted a breach notification letter before one was legally required?
If any of those created hesitation, that is the work that needs to happen before the next call comes in.
Supply chain incidents are not a question of if. By 2025, 70% of organizations reported experiencing a third-party breach, with 25% of those reporting breaches involving five or more third parties simultaneously.
The organizations that survive these incidents with their operations and reputation intact are not the ones with perfect vendor security. They are the ones that knew exactly what to do before the breach arrived.
72 Hours Is Not a Long Time. It Is All the Time You Get.
The M&S incident took nine weeks to detect. Once the ransomware was deployed, the damage was measured in days, not months. Online revenue gone. Warehouse operations manual. A technology executive out of her role. Over one billion pounds wiped from market value.
None of that was inevitable. Some of it was.
The inevitable part is that a trusted vendor will be compromised at some point. That is no longer a risk scenario. It is an operational reality.
What is not inevitable is the outcome.
The organizations that contain supply chain incidents quickly share one common characteristic. They had already made every major decision before the breach occurred. Who leads the response. Who communicates externally. What gets suspended immediately. What legal protections get activated first.
When those decisions are made in advance, the first six hours look completely different. When they are made under pressure, during an active incident, with incomplete information and a board calling every hour, they look like M&S.
Preparation is not a guarantee. It is the only variable you still control before the call comes in.
Know Your Gaps Before an Attacker Does.
Most organizations discover the weaknesses in their incident response plan during an active breach. That is the most expensive way to find them.
ThreatScene conducts Third-Party IR Readiness Reviews. A focused engagement that pressure-tests your current response plan against real supply chain breach scenarios, identifies where your decision structure breaks down, and tells you exactly where your exposure is highest.
If the 3 questions in the previous section gave you pause, that is where we start.
Book a consultation with our team to review your readiness.
Stay ready. Stay resilient. Stay operational.

REFERENCES
eSecurity Planet: Cybersecurity trends
https://www.esecurityplanet.com/trends/cybersecurity-trends/
SecurityScorecard: How to stay updated on cybersecurity threats and trends
https://securityscorecard.com/blog/how-to-stay-updated-on-cybersecurity-threats-and-trends/
World Economic Forum: Global Cybersecurity Outlook 2025 (digest)
https://www.weforum.org/publications/global-cybersecurity-outlook-2025/digest/
Secureframe: Data breach statistics
https://secureframe.com/blog/data-breach-statistics
DeepStrike: Supply chain attack statistics 2025
https://deepstrike.io/blog/supply-chain-attack-statistics-2025
Foley: Combatting supply chain cyber threats and protecting digital supply chains (Oct 2025)
https://www.foley.com/insights/publications/2025/10/combatting-supply-chain-cyber-threats-and-protecting-digital-supply-chains/
CSO Online: CISOs’ top 12 cybersecurity priorities for 2025
https://www.csoonline.com/article/3809187/cisos-top-12-cybersecurity-priorities-for-2025.html
Prosegur: Supply chain cyberattacks double in 2025, global cost $53.2B
https://www.prosegur.com/en/media/article/press/ciberataques-cadena-suministro-duplican-2025-coste-global-53200-millones-dolares
ReliaQuest: 2026 Annual Cyber Threat Report
https://reliaquest.com/blog/2026-annual-cyber-threat-report
SentinelOne: Cyber security trends
https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-trends/
SecurityMEA: Two-thirds of 2025 cyber incidents stemmed from identity compromise
https://securitymea.com/2026/02/25/two-thirds-of-2025-cyber-incidents-stemmed-from-identity-compromise/
ISACA: Cybersecurity trends to watch in 2025
https://www.isaca.org/resources/news-and-trends/industry-news/2025/cybersecurity-trends-to-watch-in-2025


