In November 2019, a single compromised credential at Marks & Spencer's financial services division triggered a regulatory cascade that would ultimately cost the retailer £300 million in provisions and remediation costs. The breach, which exposed 7.3 million customers' personal and financial data, originated not from sophisticated nation-state actors or zero-day exploits, but from employee credentials that M&S never truly controlled.
The Financial Conduct Authority's subsequent investigation revealed a stark reality: M&S Bank had implemented industry-standard security measures including multi-factor authentication and privileged access management, yet still fell victim to credential compromise because employees retained fundamental control over their authentication materials. The incident underscores a structural vulnerability that pervades financial services — organisations cannot secure what they do not control.
The credential control gap in financial services
Financial institutions operate under the illusion of credential security. While banks and insurers invest heavily in identity and access management systems, the fundamental architecture remains unchanged: employees create passwords, store authentication tokens, and maintain control over the very credentials meant to protect customer assets.
This model creates an inherent contradiction. Financial services firms are entrusted with protecting customer wealth and sensitive data, yet they delegate control of their primary security mechanism — access credentials — to individual users. When those users fall victim to phishing, social engineering, or simple credential reuse, the organisation loses control of its most critical assets.
The M&S breach exemplifies this systemic weakness. Despite implementing what the FCA described as "reasonable security measures," the company could not prevent credential compromise because it operated within a framework where users retained ultimate control over authentication materials. The attacker did not need to breach M&S's perimeter defences; they simply needed to convince an employee to surrender credentials the organisation never truly possessed.
The scale of credential-based financial crime
Recent data from the Financial Conduct Authority reveals the magnitude of credential-related threats in UK financial services. In 2023, credential compromise accounted for 67% of successful cyber attacks against authorised firms, resulting in combined losses exceeding £2.1 billion across the sector.
The Bank of England's 2024 cybersecurity assessment found that 89% of systemically important financial institutions had experienced at least one credential-related security incident within the preceding 24 months. Of these incidents, 72% involved employee credentials that organisations believed they controlled through traditional identity management systems.
Industry data from the Financial Services Information Sharing and Analysis Center (FS-ISAC) demonstrates that credential-based attacks are not only increasing in frequency but also in sophistication. Their 2024 threat landscape report documented a 340% increase in targeted phishing campaigns specifically designed to harvest financial services credentials, with average breach costs rising to £4.8 million per incident.
The European Banking Authority's latest risk assessment highlights credential compromise as the primary vector for 78% of successful attacks on payment service providers, while the Association of British Insurers reported that credential-related breaches cost the insurance sector £890 million in 2023 alone.
Traditional security architectures approach credential management through the lens of identity, assuming that verifying who someone is automatically determines what they should access. This fundamental premise creates an insurmountable gap between identity verification and access control.
Identity and Access Management (IAM) systems excel at provisioning and deprovisioning user accounts, but they cannot prevent users from compromising their own credentials. When an employee falls victim to phishing, IAM systems dutifully authenticate the attacker using legitimately compromised credentials.
Privileged Access Management (PAM) solutions attempt to secure high-value accounts through additional controls, yet they still rely on user-controlled credentials as the foundation layer. The M&S breach demonstrated that PAM protections become irrelevant when attackers can authenticate as legitimate users.
Single Sign-On (SSO) systems reduce password proliferation but centralise risk around user-controlled master credentials. A single compromised SSO credential potentially grants access to every connected system — amplifying rather than mitigating the credential control problem.
Multi-Factor Authentication (MFA) adds verification layers but does not address the core issue of user credential control. Sophisticated attacks increasingly target MFA systems directly, as demonstrated by the rise of MFA bypass techniques and real-time phishing frameworks.
Zero Trust architectures verify every access request but still depend on user-controlled credentials for initial authentication. Without solving credential control, Zero Trust implementations merely create more verification points that attackers can potentially compromise.
Structural solution: organisational credential control
The solution requires a fundamental architectural shift from user-controlled to organisation-controlled credentials. Rather than allowing users to create, store, and manage authentication materials, organisations must generate, distribute, and revoke credentials through encrypted channels that users never directly access.
This approach eliminates the attack vector that enabled the M&S breach. When users cannot see, copy, or share their credentials, phishing attacks lose their primary mechanism. Attackers cannot steal what users do not possess.
Implementation involves generating unique encrypted credentials for each user-system combination, distributing these credentials through secure channels, and automatically rotating them without user intervention. Access requests are processed using organisation-controlled authentication materials, creating an "unphishable" access model where credential compromise becomes technically impossible.
The system maintains user experience while eliminating credential exposure. Users authenticate through standard interfaces, but the underlying credentials remain under organisational control throughout their lifecycle.
Implications for financial services leaders
Financial services executives must recognise that credential control represents a fundamental architectural decision, not merely a security tool selection. Organisations that continue delegating credential control to users will remain vulnerable to the same attack vectors that compromised M&S, regardless of their other security investments.
The regulatory environment is evolving to reflect this reality. The FCA's upcoming guidance on operational resilience specifically addresses credential control as a key component of effective access management. Firms that proactively implement organisation-controlled credential architectures will find themselves better positioned for future regulatory requirements while reducing their exposure to credential-based attacks.
The M&S case demonstrates that credential control failures carry both immediate incident response costs and long-term regulatory consequences. Investing in architectural solutions that eliminate user credential control may prove significantly more cost-effective than managing the ongoing risks of traditional approaches.
Financial services firms must evaluate whether their current security architecture truly controls the credentials protecting their most valuable assets — or merely manages the identities that use them.