When Marks & Spencer was hit by a cyberattack over Easter 2025, the headlines focused on stolen customer data and suspended services. But for communicators and crisis managers, the incident offered something equally significant: a real-time stress test of how a legacy brand responds under digital fire.

The breach, believed to be carried out by a well-known ransomware group, exposed personal details of thousands of customers and forced M&S to take its online ordering system offline for weeks. Financially, the company faced tens of millions in lost revenue and a sharp hit to investor confidence. But reputationally, the real risk lay in how the story was told, and who got to tell it first.

Getting the opening moves right

M&S’s initial response hit the right notes. The communications team moved quickly, informing customers of the breach, reassuring them that financial data and passwords were safe and providing clear, actionable steps. The tone was calm but serious, striking a balance between transparency and control. It’s likely that media statements, customer emails and internal guidance were all drawn from a well-rehearsed crisis playbook – and it showed.

In this critical first window, the brand was able to shape the narrative, reassure stakeholders and demonstrate leadership. This phase is often where lasting reputational impressions are formed, and M&S appeared well-prepared.

The silence that spoke volumes

But effective crisis comms is not just about speed, it’s about stamina. After the strong early messaging, M&S’s voice began to fade. Updates became sparse, and the company appeared less visible in shaping the evolving story. Whether this was a legal decision, a shift in priorities or simply fatigue, the vacuum left by their silence was quickly filled by media speculation and critical commentary.

The shift was subtle but important: from being the source of trusted information to being a subject of analysis. For a brand built on reliability and public trust, that’s a risky transition.

A more proactive approach during this phase, acknowledging uncertainty, sharing timelines or even framing the broader cybercrime context, could have maintained momentum and kept M&S on the front foot. In high-stakes incidents, silence isn’t neutral. It’s interpretive.

What crisis communications gets right, and misses

Internally, M&S was doing the right things: working with law enforcement, deploying cybersecurity teams and reviewing systems. But public perception doesn’t always mirror operational reality. What audiences see and hear – and when – can matter as much as what actually happens behind the scenes.

That’s where many brands struggle: aligning internal response with external expectations. Especially in an era when consumers are hyper-aware of data privacy and deeply sensitive to transparency, the pressure on corporate comms is relentless.

Reputation recovery is a process, not a postmortem

M&S’s experience offers a valuable case study in modern crisis communication. They demonstrated the power of a strong opening response – grounded in clarity, tone and reassurance. But the second act, the long, quiet middle, reminds us that comms is not just about extinguishing panic; it’s about maintaining trust through the long tail of uncertainty.

For crisis managers and communicators alike, the takeaway is simple: a breach may last hours, but its reputational shadow stretches for weeks or even months. The brands that navigate this well are those that treat communication not as a reaction, but as a core part of the response strategy.