When Marks & Spencer's former head of technology sold the retailer's customer database to competitors in 2022, the £300 million damages weren't just about lost data. They revealed a fundamental weakness in how financial services and retail organisations control access to their most valuable assets.
The M&S case, which concluded in the High Court this year, centred on a senior executive who retained access to critical systems after joining a competitor. Despite sophisticated identity management systems, the organisation had no control over the actual credentials that unlocked its commercial crown jewels.
The Hidden Vulnerability in Financial Services Access Control
Financial services firms invest heavily in identity and access management, yet most operate under a dangerous assumption: that users will responsibly manage the credentials they create. This model treats identity verification and access control as synonymous—a conflation that costs the sector billions annually.
The fundamental issue isn't who someone is, but how they access systems. Current approaches focus on authenticating identity through passwords, tokens, or biometrics that users ultimately control. Once authenticated, these credentials become transferable assets that can be shared, stolen, or retained beyond employment.
For financial institutions handling sensitive customer data, trading algorithms, or regulatory filings, this represents an unquantified risk. The moment an employee creates a password or receives an authentication token, the organisation cedes control of that access pathway.
The Scale of Credential-Based Losses
Industry data reveals the magnitude of this vulnerability. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches in financial services involved human elements—predominantly credential misuse rather than sophisticated technical attacks.
IBM's Cost of a Data Breach Report 2024 places the average cost of a financial services breach at £4.8 million, with credential compromise being the leading attack vector in 31% of cases. More significantly, breaches involving stolen credentials take an average of 292 days to identify and contain—nearly double the timeline for other attack types.
The Financial Conduct Authority's annual enforcement actions provide additional context. In 2023, UK financial firms faced £206 million in penalties, with operational resilience failures—often linked to inadequate access controls—representing the fastest-growing category of violations.
These figures exclude the hidden costs of insider threats and competitive intelligence loss, as demonstrated in the M&S case, where the damage extended far beyond immediate financial penalties to encompass long-term market disadvantage.
Why Current Solutions Fall Short
Identity and Access Management (IAM) systems excel at verifying who should have access but cannot control how that access is exercised once granted. Even sophisticated implementations using role-based access control merely determine the scope of permissions, not the security of the access mechanism itself.
Privileged Access Management (PAM) solutions attempt to address this by monitoring and recording high-risk activities, but they fundamentally rely on users controlling their own authentication. A privileged user with legitimate credentials appears identical to a malicious actor using those same credentials.
Single Sign-On (SSO) systems consolidate the problem rather than solve it. By reducing multiple credentials to a single authentication point, they create a more valuable target while maintaining user control over the critical access pathway.
Multi-Factor Authentication (MFA) adds layers of verification but doesn't address the core issue. The factors—whether SMS codes, authenticator apps, or hardware tokens—remain under user control and can be transferred, shared, or compromised.
Zero Trust architectures promise "never trust, always verify" but typically implement this through user-controlled credentials verified at each access point. The trust model remains fundamentally flawed if the verification mechanism itself cannot be trusted.
The common thread across all these approaches is that they enhance the security of user-controlled credentials rather than eliminating user control entirely.
The Structural Solution: Organisational Credential Control
The solution requires inverting the current model. Instead of users creating and controlling their own access credentials, organisations must generate, distribute, and revoke every credential while ensuring users never gain direct control over them.
This approach, implemented through encrypted credential distribution systems, maintains credentials in an organisationally controlled state throughout their lifecycle. When an employee requires system access, they receive an encrypted credential that operates transparently without revealing its contents or allowing manual manipulation.
The distinction is critical: users retain the ability to access necessary systems while losing the ability to extract, share, or retain the underlying credentials. This creates genuinely unphishable access—credentials cannot be stolen because they cannot be seen or manually transmitted.
From a regulatory perspective, this model aligns with emerging requirements around operational resilience and third-party risk management. The FCA's operational resilience framework emphasises maintaining control over critical business services, which necessarily includes controlling how those services are accessed.
For financial institutions, the implications extend beyond security to competitive advantage. In an industry where proprietary algorithms, customer insights, and trading strategies represent core value, controlling access to these assets becomes a strategic imperative rather than merely a compliance requirement.
The Strategic Imperative
Financial services leaders face a binary choice. They can continue refining systems that ultimately depend on user-controlled credentials, accepting the inherent risks and associated costs, or they can implement structural solutions that eliminate user credential control entirely.
The M&S case provides a stark illustration of these costs in practice. Beyond the immediate £300 million damages, the breach highlighted how traditional access controls fail when facing determined insiders with legitimate but uncontrolled credentials.
For organisations serious about protecting their competitive position and regulatory standing, the question is not whether to implement organisational credential control, but how quickly they can deploy it across their most critical systems.
The technology exists. The regulatory drivers are clear. The only remaining variable is organisational willingness to challenge the fundamental assumption that users must control their own access credentials.