Marks & Spencer (M&S), the iconic British retail giant, was recently at the epicentre of a significant cyber attack that sent shockwaves through its operations and the broader retail sector. The incident, attributed to the notorious hacking group known as Scattered Spider, highlighted the sophisticated and pervasive nature of modern cyber threats, impacting everything from online orders to in-store services and incurring substantial financial losses.

The attack, which reportedly began as early as February 2025 but came to light around Easter, saw M&S’s IT systems infiltrated and critical data exfiltrated. The attackers, believed to have utilized a “DragonForce” encryptor, deployed ransomware that encrypted virtual machines supporting e-commerce, payment processing, and logistics applications. While physical stores largely remained open, customers experienced disruptions to services such as “Click and Collect” and contactless payments.

The Attack Vector: Social Engineering and Active Directory Compromise

Initial investigations point to a highly effective social engineering tactic as the primary entry point. Scattered Spider allegedly targeted M&S’s IT service desk, impersonating an internal support engineer to manipulate a third-party provider into resetting an internal user’s password and disabling multi-factor authentication. With these compromised credentials, the attackers then exploited Active Directory to exfiltrate the NTDS.dit file – a critical database containing password hashes for every domain user. This allowed them to gain unauthorized access and move laterally within M&S’s network before deploying the ransomware.

Impact and Fallout

The consequences for M&S were severe and far-reaching:

• Operational Disruption: The attack led to the suspension of online orders in the UK and Ireland for several weeks, and disrupted in-store operations, including issues with gift card services and restricted return options. Automated stock systems were also impacted, leading to empty shelves in some stores.
• Financial Losses: M&S estimated a staggering £300 million hit to its annual profits as a direct result of the incident. This figure does not include potential insurance claims. The company’s market value also plummeted by over £700 million.
• Data Breach: M&S confirmed that personal customer information was compromised, including names, birth dates, residential and email addresses, phone numbers, household details, and online purchase histories. While no usable card or payment details or account passwords were reportedly extracted, the breach raised significant privacy concerns for millions of customers, leading to a class-action lawsuit.
• Reputational Damage: Such a high-profile attack inevitably impacts consumer trust and the company’s brand image.

Response and Recovery

• M&S’s response involved significant efforts to contain the breach, restore systems, and communicate with affected customers.
• Chairman Archie Norman described the experience as “traumatic” and stated the company was in “rebuild mode” and would be for “some time to come,” with full online recovery not expected until August. M&S worked closely with UK and US authorities, including the National Crime Agency (NCA), the National Cyber Security Centre (NCSC), and the FBI.
• In a recent development, the NCA announced the arrest of four individuals, including three teenagers, in connection with cyberattacks targeting M&S, Co-op, and Harrods, indicating a coordinated effort by law enforcement to tackle these sophisticated criminal enterprises.
  

Lessons Learned:
The M&S cyber attack serves as a stark reminder for all organizations:

• The Human Factor: Social engineering remains a potent threat, highlighting the critical need for robust employee training and awareness programs, even for third-party vendors.
• Supply Chain Security: The involvement of a third-party in the initial breach underscores the importance of scrutinizing the cybersecurity posture of all partners and suppliers.
• Resilience and Preparedness: Companies must have comprehensive incident response plans, including the ability to operate manually if IT systems are compromised. M&S’s general counsel reportedly advised businesses to be prepared to “run your business on pen and paper.”
• Legacy Systems: The complexity of hybrid IT environments, with a mix of old and new systems, can create vulnerabilities and make it easier for attackers to move laterally.
• Transparency and Reporting: M&S’s chairman has called for mandatory reporting of cyberattacks, emphasizing the importance of shared intelligence to combat these threats effectively.
  The M&S cyberattack is a powerful illustration of the evolving threat landscape, where sophisticated social engineering, ransomware, and data exfiltration combine to create a formidable challenge for even the largest and most established organizations.