'Steady hand' Higham decides to quit top M&S tech role

M&S chief digital and technology officer Rachel Higham has decided to step back from her role, in the wake of the retailer’s recent cyber attack, despite the company insisting she had been “a steady hand and calm head at an extraordinary time for the business”.

Higham, who joined the business in January 2024 from WPP, succeeded chief digital and technology officer Jeremy Pee, who left in August 2023 after six years leading the retailer’s digital and data transformation strategy.

She had been chief information officer at WPP since December 2020, leading the agency group’s cybersecurity, IT strategy, and business transformation.

Over past two decades, Higham had led technology teams at a number of major financial services, insurance and telecoms brands, including BT, HSBC, Vodafone, Chubb, ABN Amro and ACE Group, working across Europe, Asia, and North and Latin America.

The move marked her return to the business, having first worked at M&S Bank as lead change programme manager from 2003 to 2007.

In an internal memo, M&S said Higham was “stepping back from her role… Rachel has been a steady hand and calm head at an extraordinary time for the business, and we wish her well for the future”. Operations director Sacha Berendji, who has been chief recovery officer since the cyber attack, will reportedly take over her responsibilities until a successor is appointed.

The now infamous cyber attack hit M&S in April, when a ransomware gang used social engineering and impersonated a third-party vendor to gain access to its systems.

The breach led to the suspension of M&S’s online ordering, with contactless payments, the Sparks loyalty scheme and automated systems all down.

Initially, the retailer insisted no customer data had been stolen but was then forced to retract that. Although M&S has refused to detail how many customers had been affected by the data breach, it emailed its entire customer base of 9.4 million people to warn them about the situation.

And while most of its systems are now back up and running, the attack is estimated to have cost the company around £300m.

Even the Government waded in, urging businesses of all sizes to treat cyber security as an “absolute priority” following a wave of attacks on UK retailers, with Chancellor of the Duchy of Lancaster Pat McFadden insisting the onslaught must to be “a wake-up call”.