If you saw the recent headlines about the Marks and Spencer data breach, you might’ve assumed it was a high-level hack pulled off by a sophisticated group of cybercriminals. But the truth is far more familiar and far more common. It wasn’t malware, it wasn’t ransomware… it was human error.
In this case, a technical misstep reportedly allowed Marks and Spencer staff to view each other’s private HR information via their internal self-service system. That’s sensitive, personal data visible to unintended users, an issue that should’ve been caught early, long before it made headlines.
It’s the kind of incident that flies under the radar until it happens to you. And if your organisation doesn’t have the IT budget or security resources that a brand like M&S has, it’s even more reason to take notice. This wasn’t a one-in-a-million breach. This is something that could happen in any business with access to employee data, which, let’s face it, is most of us.
The Real Story Behind the Marks and Spencer Data Breach
What makes the Marks and Spencer data breach noteworthy isn’t just that it involved a household name, but that it shows how everyday oversights can become major security issues. From what’s been reported, this wasn’t a “cyber attack” in the traditional sense, it was a permissions misconfiguration, a breakdown in access control.
In other words, no hackers had to break in. The doors were already open, unintentionally, but open nonetheless.
This type of breach sits squarely in the category of preventable mistakes. And that’s what makes it so relevant. If a company with enterprise-grade systems and experienced IT teams can miss something like this, what does that mean for the average small or mid-sized business trying to juggle HR, finance, and operations on a tighter budget?
It means you can’t afford to ignore the basics.
Why Human Error Remains the Biggest Cyber Risk
You’ve likely heard a lot about ransomware, phishing, and other big-ticket threats. And yes, those are serious problems. But here’s what many people outside the IT world don’t realise: human error in cybersecurity is the root cause of the majority of security incidents.
That includes:
- Sending sensitive data to the wrong recipient
- Clicking on malicious links in emails
- Misconfiguring software tools
- Failing to limit access to confidential information
In the M&S case, it seems to have come down to access settings within an HR platform, something that should’ve been subject to regular checks. The sad part? This kind of mistake is entirely avoidable with the right processes in place.
Understanding Access Control (And Why It’s Often Overlooked)
Access control isn’t the flashiest part of your IT setup, but it might be the most important. It’s about who can access what and whether that access is truly necessary.
Poor access control can lead to:
- Confidential employee or client data being exposed
- Ex-staff retaining access to systems they shouldn’t
- Systems being more vulnerable to internal threats, not just external ones
Good access control means setting clear, role-based permissions and reviewing them regularly. Not just when someone joins or leaves the company, but as roles change or systems are updated. You also need to test those settings from the user’s perspective to catch any unexpected visibility.
How to Minimise Human Error in Your Organisation
Let’s be honest: no system is perfect. People will make mistakes. The goal isn’t to create a zero-error environment, that’s impossible. The goal is to reduce the number of mistakes that matter.
Here’s what that looks like in practice:
- Access Reviews – Regularly check who has access to what and whether they still need it.
- Cyber Awareness Training – Make sure all staff know how to handle data correctly, recognise phishing emails, and report anything suspicious.
- Use Role-Based Access – Only give people access to the systems or files they need. Not everyone needs admin rights.
- Simulate Common Errors – Test your systems by clicking the wrong buttons, sending the wrong files, or logging in as different roles to see what breaks.
- Have Clear Reporting Channels – If someone notices something odd (like seeing data they shouldn’t), they need to know who to tell and how quickly.
These aren’t technical fixes that require a huge IT budget, they’re management and training practices that support a safer workplace.
Why This Applies to Small and Medium Businesses Too
It’s easy to read about an M&S incident and think, “That wouldn’t happen to us, we’re much smaller.” But that’s exactly why it’s relevant. Big businesses like M&S have entire departments focused on IT security and compliance, and mistakes still slip through.
Smaller companies don’t have the same resources, which means the margin for error is even slimmer. In fact, many smaller firms don’t realise they’ve exposed sensitive data until a customer flags it, or worse, an external regulator does.
Where Managed IT Support Makes the Difference
If all this sounds a bit overwhelming, you’re not alone. Managing security, access, and training isn’t something most business owners want on their daily to-do list.
That’s where managed IT support comes in.
A good IT partner can:
- Run regular access and permissions audits
- Help document your systems, users, and risks
- Deliver staff training to reduce human error
- Spot weak points in your setup before they turn into problems
At Commercial Networks, we work with small and medium-sized businesses to strengthen security without overcomplicating things. You don’t need to become a tech expert, you just need a partner who knows where the risks are hiding and how to clean them up.
📞 Ready to talk through your risks? Give us a ring on 0333 444 3455
📧 Or email sales@cnltd.co.uk for a no-pressure IT health check.
Further Reading
- Reuters – M&S says hackers gained access via a third‑party contractor, not a system breach (Reuters, Cybernews, blackfog.com)
- Guardian – Chair notes multiple unreported attacks and the need for mandatory reporting (The Guardian)
- Security Magazine / id‑Agent – Breakdown of how help‑desk social engineering triggered a widespread attack (idagent.com)
