Join CIPR
Search by title
The wide entrance of a Marks and Spencer store with the brand name above the doorway and mannequins wearing women's clothes in the background
The M&S store at Lakeside, Thurrock. (Image: M&S)
LEADERSHIP
Tuesday 20th May 2025

This is not just any crisis comms email, this is an M&S crisis comms email

Marks and Spencer presents a masterclass in crisis communications and stakeholder engagement.

In mid-May Marks and Spencer sent out an email to all customers registered to the retailer’s database. Headed ‘An update from M&S about the recent cyber incident’, the email is an absolute masterclass in direct engagement with your target audiences, specifically your customers, during a crisis.

But what led to M&S taking this step? In April, M&S reported that it had been subject to a data breach, in which customer personal details such as dates of birth, home addresses and phone numbers were stolen. 

The retailer was quick to point out that no payment details had been compromised and that to date, none of the information appeared to have been shared. M&S suspended all online orders, allegedly costing the retailer £43m per week in lost sales. 

Given the ongoing nature of the challenge, compounded by the significant losses being faced, clearly somebody at M&S decided it was time to take steps to try and reassure customers.

Reassuring the customer

The first win was the first-name personalisation in the email. Taking this route, rather than sending a bulletin-style message can, in my opinion, increase engagement from the very start. I think we are much more likely to read something that’s addressed to us directly.

Secondly the email came from an identified, senior person – Jayne Wall who is M&S’s operations director. Jayne appears to exist IRL and is easily found on LinkedIn. I don’t remember ever receiving an email from an actual person at M&S before, and that fact gives the impression the retailer is taking the issue seriously.

Furthermore, the email finishes off with a signature purporting to be Jayne’s. Even if it isn’t Jayne’s actual signature, this is a nice personal touch that makes the letter feel human, even though it has clearly been sent to thousands, if not millions, of people.

Building trust

Onto the content of the email itself, it immediately outlines the problem and what has happened so far. It doesn’t hide from the truth. This approach builds trust and goodwill, there’s no feeling that M&S is trying to pull the wool over our eyes.

Next, there’s an intent to recognise and acknowledge any concerns held by customers whilst also again being very clear and outlining exactly what data has been stolen – including contact details, dates of birth and online order history. Important information is highlighted in bold – there’s no evidence that the data has been shared and the data does not include any useable card or payment details, nor account passwords.

The use of underlined headings (only two) is also helpful – we all want to know “what has happened” along with “how does this affect me and what should I do?” don’t we?

Once the problem is presented, defined and explained, the email outlines exactly what M&S is doing to try to fix it. This demonstrates that they are working on the issue and trying to rectify it. This again provides reassurance and aims to create trust.

An unreserved apology

At this point, a clear route to additional information is provided via a link to FAQs. Giving an option to dig deeper into the problem, whilst keeping the email brief, acknowledges that all brains operate differently. For some, the email is enough, for others additional information may be really important.

Next steps are outlined at this point, again providing reassurance and a ‘we are working on this’ message. This is followed swiftly by a clear and unreserved apology. 

An apology like this is fundamental in this sort of situation, and M&S has nailed it by ensuring it was unreserved and given sincerely. 

Too often spokespeople hide behind insincere or incomplete apologies (often for perfectly reasonable and legitimate legal concerns admittedly), but it is refreshing to see such an open and clear apology being given in these circumstances.

The email concludes with a thank you to customers for their custom and support. At its base level, this tells us that retailer cares and that they will fix it.

In brief, the email works so well for all of the reasons outlined, but also because it is so on brand and just what we’d expect. In Marks and Spencer, we expect high quality, along with value for money. It isn’t flash and it is also consistent. When we buy from there, we know what to expect. It is a stalwart of the high street, the home of the prawn sandwich and somewhere our nannas, mums and perhaps we ourselves routinely shop. We know we can trust M&S.

All of the above feelings have been effectively carried through with this email. It’s on brand, on the money and doing exactly what we’d expect from M&S. For all the reasons I’ve outlined, it truly is a masterclass in one aspect of crisis comms – engaging with your customers. Bravo M&S, bravo Jayne and double bravo to the M&S comms team. 

The email from Marks and Spencer set out in full below and on the M&S website:

The email to customers from M&S operations director Jayne Wall. It reads: Dear Victoria, I’m Jayne Wall, and I look after Customer Service here at M&S. I am sure that you will have seen in the news that we have been dealing with a cyber incident and I wanted to write to you about what this means for you. What has happened? To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with. Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords. For more detail, see our FAQs. How does this affect me and what should I do? You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password. For more information, FAQs and hints and tips on how to stay safe online visit https://lnkd.in/eTiVty2T To give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password. We sincerely apologise for any inconvenience caused to you and all of our customers. Thank you so much for shopping with us and for your support, we never take it for granted. Jayne's signature Jayne Wall Operations Director

Victoria Moffatt is the founder and managing director of LexRex, a communications consultancy for the legal sector. A former lawyer, she has over 15 years’ experience advising law firm leaders on effective PR strategies and crisis responses.

Further reading

Three top crisis communications lessons from a disaster manager
Five vital comms lessons from the tragedy of flight 5342
Crisis comms: Lessons learned from the British Library cyber-attack

crisis-communicationpr-strategymarketingbusinesstech