This past April, British retail giant Marks & Spencer faced a major crisis — not by a supply chain shortage or a product recall but by a silent cyberattack. In a powerful reminder that even the most established brands are not immune, M&S was forced to shut down critical IT systems after cybercriminals breached their defences. Online orders stopped, supply chains froze, and store shelves emptied. And the trigger? A SIM-swap attack that exposed a single point of failure with profound implications.
The financial toll was swift and significant: analysts estimated up to £40 million in weekly lost revenue. Even more damaging, customer data — phone numbers, home addresses, and birthdates — was exposed, damaging consumer trust. The company’s share price plunged by 15%, erasing over £1 billion from its market value in just days.
A SIM-swap attack is an increasingly common and deeply effective tactic used by criminals. According to investigators, the attackers researched M&S staff, impersonated them, and convinced IT helpdesk staff to reset key credentials. With SIM-swapping, they intercepted one-time passcodes and security verifications typically sent via text or phone call. From there, they gained deeper access into corporate systems, bypassing layers of security by manipulating a single digital identity.
Businesses — especially retail, banking, telecom, and crypto — still depend heavily on SMS-based verification and over-the-phone password resets. That reliance now poses a clear vulnerability. A hijacked phone number can unlock VPN tokens, cloud platforms, helpdesk channels, and customer databases. And while cyber insurance might help cover immediate losses, it does little to repair consumer trust or regulatory reputations in the long term.
The threat is personal, too. SIM-swap fraud doesn’t just target corporations. For individuals, losing control of a mobile number means losing control of bank accounts, email, social media, and more. Criminals can drain savings, steal identities, and open new credit lines—all while victims are left scrambling to regain access. United Kingdom fraud-prevention agency Cifas warns that the effects of such breaches are long-lasting, impacting victims’ lives in ways that money alone can’t fix.
This method is no longer rare. Cifas reported a staggering 1,055% increase in SIM-swap cases in 2024, warning that such attacks compromise not just individual accounts but entire digital identities. And this isn’t just a UK phenomenon — here in Canada, the risk is just as present. In 2024, the Toronto Police Service’s Project Disrupt dismantled a Canada-wide SIM-swap ring that stole more than $1 million by hijacking 1,500 mobile accounts. Officers seized over 400 forged IDs and laid 108 charges. As Detective David Coffey noted, today’s fraud is deeply internet-driven—and tackling it requires strong cooperation between the private sector, telecoms, and law enforcement.
So what can be done? For companies, the message is clear: start by hardening helpdesk protocols. Require multiple layers of verification, such as a staff ID, manager approval, or a hardware token, before allowing changes to phone numbers or password resets. Move beyond SMS as the default security method. App-based tools like Google Authenticator or hardware keys offer far better protection and can’t be intercepted through a SIM swap. If text messaging must remain, add carrier-level protections like PINs or port-freeze options to make number takeovers more difficult.
It’s also essential to audit third-party access, especially vendors with elevated privileges, and monitor for unusual account activity or changes. And don’t wait for an incident to happen. Run simulations and drills so your team knows exactly how to respond if credentials are compromised, from notifying customers to rotating access and restoring operations swiftly.
For individuals, the steps are just as necessary. Switch to app-based two-factor authentication, which is far safer than codes sent by text. Stay alert for red flags, like sudden loss of mobile service or “verification” messages you didn’t request — these are signs your number may have been compromised. Finally, be cautious when sharing personal information online. Details like your birthdate, address, or phone number might seem harmless, but they’re gold to cybercriminals building a profile to impersonate you.
SIM-swap attacks don’t rely on cutting-edge technology — they exploit procedural gaps and human error. Companies that strengthen verification steps and diversify authentication can slam the door on attackers.
The Marks & Spencer breach is more than just a warning; it’s a wake-up call for companies worldwide to proactively identify and fix their vulnerabilities before it’s too late. Mobile numbers have become digital master keys, and securing them requires more than IT upgrades — it demands cyber leadership. As ransomware and social engineering threats escalate, Canadian businesses must take urgent steps to assess their resilience, invest in stronger defences, and build a culture of security from the inside out.
Lester Chng is a Senior Cybersecurity Advisor at Rogers Cybersecure Catalyst — Toronto Metropolitan University’s national centre for training, innovation, and collaboration in cybersecurity.
