Marks & Spencer says it is recovering after a cyberattack that cost £300 million, and a loyalty overhaul is next. I have a different view. Calling this a comeback is premature without proof of change, not just a fresh rewards program. This matters because customers lost trust, not points. Trust needs more than marketing.
The Spin and the Stakes
We are told there is progress. The message is neat and upbeat, but it skips the hard parts. Security failures are not fixed by rebranding benefits. A loyalty refresh can be smart retail strategy, yet using it as the headline after a nine-figure breach risks signaling the wrong priorities.
“on the road to recovery”
“loyalty refresh”
Those phrases are designed to calm. I’m not convinced they answer the questions that matter: what failed, who was affected, how will it be prevented next time, and when will we see independent proof?
What Recovery Should Mean
Real recovery is measurable. It is not about a points app or a new tier name. It is about hard fixes, disclosure, and ongoing accountability.
Here is what should come before any fanfare about loyalty:
- Clear disclosure on the breach’s scope, systems hit, and lessons learned.
- Independent security audits with summaries published for customers and investors.
- Concrete timelines for upgrades, from identity controls to vendor oversight.
- Support for affected customers, including credit monitoring where needed.
- Board-level oversight of cyber risk, reported with financial results.
These are the basics. They turn a promise of recovery into something you can verify.
The Loyalty Play: Smart or Distraction?
A loyalty refresh can drive frequency and basket size. I get why a retailer would push it now. But after a £300m shock, customers do not want perks first, they want safety first. If new tiers and offers launch without visible security fixes, the message becomes muddled: shop more, trust later.
I would welcome a loyalty design that actually answers the moment. Tie benefits to security features: stronger account protections, device alerts, and fast fraud refunds. Make it obvious in the app and at checkout. If the company wants to rebuild trust, build it into the product, not just the press line.
Answering the Optimists
Some will argue that a retailer has to move on, sell goods, and keep people engaged. True. Yet moving on is not the same as moving fast past accountability. Others may say the cost is sunk and the systems are stable now. Maybe. But cost alone does not prove repair, and stability is only real if outsiders can test it.
There is also the investor angle. A loyalty refresh sounds like growth. But growth that sits on weak controls is fragile. I prefer a slower, safer rebuild to a quick bounce built on hope.
What I Want to Hear Next
The path back is simple to describe, hard to do, and worth it. I want to hear less about tiers and more about tests.
- Publish a timeline for security upgrades already delivered and those still due.
- Commit to annual third-party assessments with public summaries.
- Introduce default multi-factor login and real-time breach alerts.
- Offer opt-in data minimization for loyalty accounts, not just consent boxes.
That kind of plan would make “recovery” feel like more than a slogan.
The Bottom Line
“On the road to recovery” is a nice line. After a £300m hit, it has to be more than that. Security first, loyalty second—reverse the order and you risk repeating history. If you are a customer, ask for proof and use every safety feature offered. If you are a shareholder, demand independent verification, not just a refreshed card. If you are inside the company, push to make safety a visible product feature.
Recovery is not a feeling. It is a set of actions you can see. Start there, and the loyalty will follow.
