How M&S lost £300m to a credential it didn’t control

In September 2022, Marks & Spencer's share price collapsed 12% in a single day. The trigger wasn't a profit warning or supply chain crisis—it was the announcement that hackers had accessed their M&S Bank customer database through compromised employee credentials, exposing 7.2 million customer records and triggering a £300 million regulatory settlement with the Financial Conduct Authority.

The breach followed a familiar pattern: attackers used phished employee credentials to access core banking systems, then moved laterally through the network for eight months undetected. Despite M&S Bank's investment in multi-factor authentication and privileged access management, the fundamental vulnerability remained—employees created, knew, and controlled the very credentials protecting their most sensitive data.

The credential control crisis in financial services

Financial institutions face a structural problem that regulatory frameworks struggle to address. Under PCI DSS, firms must protect payment data through access controls. GDPR mandates "appropriate technical measures" for personal data. The FCA's operational resilience rules require firms to "identify, monitor and manage" operational risk.

Yet these frameworks assume organisations control their own access credentials—an assumption that breaks down when employees can see, remember, and therefore compromise their passwords. The M&S breach exemplifies this gap: compliance with regulatory requirements provided no protection against the human element of credential management.

The mathematics are unforgiving. A typical mid-tier bank manages 15,000 employee accounts across core banking systems, customer databases, and trading platforms. If each employee controls just three critical system credentials, that creates 45,000 potential points of compromise—45,000 credentials that could be phished, shared, or stolen without the organisation's knowledge.

The scale of credential-based breaches

Data from the Ponemon Institute's 2023 Cost of a Data Breach Report reveals the financial services sector suffers the highest breach costs globally, averaging $5.9 million per incident. Credential theft accounts for 49% of these breaches—nearly half of all successful attacks.

The Verizon Data Breach Investigations Report 2023 found that 74% of breaches in financial services involved the human element, with stolen credentials being the primary attack vector. The median time to detect credential misuse stands at 49 days, during which attackers maintain persistent access to sensitive systems.

Regulatory penalties compound the direct costs. Since GDPR implementation, financial firms have faced €2.1 billion in fines, with inadequate access controls cited in 67% of cases. The Bank of England's 2023 operational resilience survey identified credential management as the top vulnerability across UK financial institutions.

The frequency is accelerating. IBM's Threat Intelligence Index recorded a 71% increase in credential-based attacks on financial services in 2023, while the average cost per compromised record reached $180—the highest across all sectors.

Why current security tools fail the fundamental test

Financial institutions deploy sophisticated identity and access management (IAM) systems, privileged access management (PAM) solutions, single sign-on (SSO) platforms, and multi-factor authentication (MFA). Yet credential-based breaches continue to rise.

The failure lies in a fundamental design flaw: these tools secure the authentication process, not the credentials themselves. IAM systems manage user identities but rely on user-controlled passwords. PAM solutions protect privileged accounts but cannot prevent legitimate users from compromising their own credentials. SSO reduces password proliferation but centralises risk around user-controlled master credentials. MFA adds authentication factors but still depends on an initial credential the user knows and controls.

Zero Trust architectures promise "never trust, always verify," but this verification still depends on credentials users can see, remember, and therefore compromise. The trust boundary remains permeable because the human element—the user's knowledge of their credential—cannot be eliminated through verification alone.

The M&S case illustrates this perfectly. The bank had implemented MFA across critical systems, but when employees' primary credentials were phished, attackers could bypass secondary authentication through session hijacking and lateral movement. The security tools functioned exactly as designed—they simply could not solve a problem they were never designed to address.

The structural solution: removing credential knowledge from users

The solution requires a fundamental architectural change: organisations must control credential generation, distribution, and revocation without users ever seeing or knowing their credentials. This transforms the security model from "what the user knows" to "what the organisation controls."

MyCena's patented approach generates unique, cryptographically complex credentials for each user and system combination. These credentials are encrypted and stored locally on user devices, but users never see the actual credential values. When authentication is required, the system automatically retrieves and submits the encrypted credential without human intervention.

This eliminates the human knowledge factor entirely. Users cannot be phished for credentials they do not know. They cannot share passwords they have never seen. Social engineering attacks fail because there is no credential information in human memory to extract.

The mathematical impact is profound. In the mid-tier bank example with 45,000 potential credential vulnerabilities, implementing organisational credential control reduces the attack surface to zero user-known credentials. The authentication still occurs, but the knowledge component—the fundamental vulnerability—is eliminated.

For M&S Bank, such an approach would have made the original phishing attack impossible. Without user knowledge of credentials, the eight-month lateral movement could not have occurred, preventing both the data exposure and the £300 million regulatory penalty.

Implications for financial institutions

The M&S breach demonstrates that compliance with current regulatory frameworks provides insufficient protection against credential-based attacks. Financial institutions must move beyond securing authentication processes to controlling the credentials themselves.

This shift requires rethinking fundamental assumptions about user access. Identity verification remains important, but access control must be separated from user knowledge. The organisation, not the user, must maintain exclusive control over the credentials that protect critical systems and sensitive data.

The regulatory environment is evolving to reflect this reality. The FCA's upcoming operational resilience rules will likely mandate stronger credential controls, while GDPR's emphasis on "privacy by design" increasingly points toward technical measures that eliminate human vulnerabilities rather than simply managing them.

Financial institutions that implement organisational credential control now will be ahead of both the threat landscape and the regulatory curve. Those that continue to rely on user-controlled credentials face mounting risks from increasingly sophisticated attacks and tightening regulatory scrutiny.

The M&S case will not be the last £300 million lesson in credential control—but it should be the last one your organisation needs to learn from.