It wasn’t fancy technology that resulted in £300 million lost profit for M&S. As CEO Stuart Machin bluntly told reporters, it was “human error.” Attackers used social engineering to trick helpdesk staff into handing over access: they rang support desks posing as internal IT, obtained credentials or password resets, and then infiltrated the M&S network.