What the M&S cyber-attack reminded us about crisis comms (and why it matters for every business)

It’s been hard to miss the recent M&S data breach.

After a major cyber-attack, M&S was forced to pause online orders, losing an estimated £35 million a week in clothing and homeware sales. Six weeks on, the retailer has finally reopened its website to shoppers and plans to resume click and collect, next day, and nominated day delivery in the coming weeks. The incident is expected to cost the company up to £300 million in profits.

As someone who’s worked in comms during a global crisis, it brought back memories of the Paradise Papers leak in 2017, when I was Head of Marketing & Comms at Estera, one of the businesses at the centre of the media storm.

Here’s what I learned back then and why it matters just as much for small businesses as it does for retail giants:

1. What's internal is external

Your people come first. Clear internal communication is the foundation for strong external messaging. If your team understands what’s happening, they can be your greatest advocates. If they’re left confused or in the dark, the damage goes deeper.

2. Keep it simple

Say what needs to be said, clearly and in plain English. Avoid spin and jargon. And if you can’t say much, say something. Don’t leave a vacuum where confusion and speculation can take over.

3. Have a plan and test it

Crisis comms plans are only useful if they actually work in real life. Platforms, behaviours and expectations change fast, your plan needs to keep up. Run simulations. Pressure test your response. Update it regularly.

4. Leadership matters

Your leaders need to be visible and involved. Walk the floor. Show empathy. Say something on camera if appropriate. But remember, no one person can handle it all. Share responsibility and empower your team.

5. Be honest and human

People spot a cover-up a mile off. If something went wrong, own it. Be honest about what you know, what you’re doing to fix it, and how you’ll stop it happening again. Transparency builds trust, even in a crisis.

6. The storm will pass

In the moment, it feels all-consuming. But public attention fades fast. Do your best, stay grounded, and remember: today’s headline is tomorrow’s chip paper.

7. Speed matters (but so does accuracy)

Quick responses are important but only if they’re right. If you’re still gathering facts, a short holding message is better than saying the wrong thing.

Example: “We’re aware of the issue and are investigating. We’ll share more as soon as we can.”

8. One voice, many channels

Your messaging must be consistent across emails, socials, websites, and press. Conflicting updates cause confusion. Align your messages, agree key points, and assign a clear spokesperson.

9. Monitor and adapt

Pay attention to what people are saying on social, in the media, in your inbox. Stay alert and adjust your messaging if needed. Being tone-deaf in a crisis can cause long-term damage.

10. Follow up when the dust settles

Once the worst is over, share what’s changed. Let people know what you’ve learned and what improvements you’ve made. That’s how you turn a crisis into a chance to rebuild trust.

Crisis comms is just good comms on a tight deadline.

Whether you’re a solo founder or a comms team in a larger business, the principles are the same:

• Be human

• Be clear

• Be ready

Need help reviewing or building a crisis comms plan that actually works? Drop us a message, we’d love to help.

hello@greatmindsmarketing.co.uk