M&S 2025 Cyber Attack Case Study
Downtime Duration
7-15 weeks
Estimated Costs
£385 million
Records Exposed
9.4 Million Customers
Operational Impact
- Online shipping shut down
- Overall Supply chain disrupted
- CTO Resigned
- Card Transactions halted
Summary
Marks & Spencer (M&S), a UK retail giant about 2600 stores strong, is curtailed by a co-ordinated POS Ransomware attack.
Full Analysis
Introduction
On April 22nd 2025, Marks and Spencer admitted that their online customer sales service and supply chain system had been compromised by a hacker group, who also stole personal customer information such as names, phone numbers and email addresses. Eventually, the hacker group Scattered Spider claimed responsibility for the attack, demanding a $4.4 million bitcoin ransom in exchange for the security key needed to unencrypt the systems.
Entry vector
Hackers Responsible
Scatted Spider is a bit of an anomaly when it comes to hacker groups; unlike many hacker groups, that are based in Russia or their territories, they are composed of English-speaking cyber savvy delinquents based in the US and UK, mostly young adults and teenagers. They are also called a ‘hacker group’ in the loosest sense possible; it’s more accurate to call them a community of loosely affiliated hackers and cyber criminals organising on forums like Discord and Telegram, hence the name Scattered Spider (BBC.com, 2025A). They are well known for their 2023 cyber-attack on MGM resort, where they used ransomware to shut down over 100 of the resort’s VMware ESXi hypervisors to collect a ransom (Bleepingcomputer.com, 2025A).
In July 2025, Four individuals were arrested by the police in Staffordshire, London and the West Midlands for ‘Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group’. The four are believed to be connected to the M&S attacks as well as preceding attacks on Co-op and Harrods. (BBC.com, 2025I)
Main Attacks
According to bleepingcomputer (bleepingcomputer.com, 2025B), in February 2025, Scattered Spider operatives gained access to Marks and Spencer’s operating system, stealing their Windows domain’s NTDS.dit file, essentially their database containing access password hashes.
The group then proceeded to crack the hashes offline, hijacking existing credentials that they then used to roam freely throughout M&S’ Windows domain to steal the personal details of their 9.4 million online customers from network devices, using social engineering tactics like SIM swapping and phishing.
Scattered spider then used malware created by DragonForce, a separate gang that creates malware as a service for cybercriminals, for the main attack on April 22nd and 24th. This crashed the online shopping service by encrypting all data related to the supply chain and online customers, leaving it inaccessible to all except Scattered Spider. According to the Sunday Times, Scattered Spider were able to remain undetected for 2 days before the attack
Scattered Spider’s cyber-attack has coincided with other cyber incidents involving other retailers, such as Victoria’s Secret, who was forced to briefly shut down their corporate and e-commerce websites on May 26th when they suffered a data breach. Unlike M&S, they were able to restore their website on May 29th (Reuters.com, 2025). It’s unclear who committed the cyber-attack on the fashion retailer, although Scattered Spider remain the main suspects because of their attack on M&S (cybersecuritydive.com, 2025).
On the 8th July, M&S’s chairman, Archie Norman, confirmed to a parliamentary select committee that M&S believe that DragonForce was mostly behind the attack due to a lack of evidence incriminating Scattered Spider. He has also confirmed that the FBI has been assisting in M&S’s recovery. (Retailgazette.com, 2025A)
Recovery
M&S worked day and night to recover from the cyber attack. They are working with companies that specialise in cyber security including CrowdStrike, Microsoft, and Fenix24 to fully restore their systems (Bleepingcomputer.com, 2025C). The National Cyber Security Centre (NCSC) is working closely with all parties to investigate the attack and remedy M&S’s security systems (itpro.com, 2025B).
M&S have released several smartphone “super Apps” to their store personnel to scan shelves, to identify stockouts and send the info to a new central hub for reordering the items. This enables M&S to circumvent their disabled ordering systems and continue to ensure continuity of supply (Sunday Times, 2025A).
Impact
Initially problems were experienced by customers in stores trying to pay by card on Saturday 20 April. The payment systems were restored to normal operation after a short while (BBCTVNews, 2025).
Since a quarter of all M&S’s sales happen online, M&S suspended all digital shopping services, including website, apps and their click and collect system, until the breach has been fixed. The ongoing impact of the hack was immediately felt not just in their digital shopping service, but also in their supply chain.
A technical glitch caused several contactless payments and click and collect services to fail across the UK, frustrating several customers still reeling from the cyber-attacks in April. It is unclear whether this glitch is related to the cyber-attack or not. (Retailgazette.com, 2025B)
Data Impact
The personal information of M&S’s 9.4 million online customer database was compromised (bleepingcomputer.com, 2025B). This included personal details like phone numbers, emails, and household information (BBC.com, 2025E). Whilst Scattered Spider have shown no signs of leaking the data until they receive their ransom, the whole incident has raised questions about how M&S can maintain the confidentiality of their customer’s data and how the compromised data could be used to defraud customers. M&S are even facing a class action lawsuit over the data breach (Drapers.com. 2025). The cyber-attack eventually led to the resignation of M&S’s CTO, Rachel Higham in September 2025 (Computerweekly, 2025C).
Impact on Supply Chain
Supply chain services had also effectively been cripped by the attack. Suppliers, including Greencore, had to resort to using pen and paper for inventory keeping. This has led to severe disruption, from getting trucks loaded and sent off, including struggles with restoring a new payment system for the employees, who have even struggled with clocking in and out of work (BBC, 2025B). This led to not only a shortage in store supply, but even an oversupply in some regions as excess food was delivered, leading to mass waste – according to M&S retail workers on Reddit (BBC.com, 2025C). This led to many stores’ shelves being left empty and delivery businesses that M&S work with, including Ocado which M&S partially own, affected to some degree (BBC.com, 2025D).
M&S has also been forced to return deliveries to their suppliers as they are unable to receive them due to their inventory systems being offline (Sunday Times, 2025B).
Costs
An estimated £43 million is lost due to suspended online sales per week (BBC.com, 2025F). Marks and Spencer have so far refused to pay the $4.4 million ransom.
The attack initially decreased M&S’s stock market value by £500 million (theguardian.com, 2025A), with its share price falling by roughly 16% since it disclosed the attack on April 22. Another, later estimate by The Financial Times in May suggests a far more staggering decrease in overall market capitalisation by £1.3 billion (Financial Times.com, 2025). M&S has cyber insurance to cover some of their losses caused by the attack – the claim is estimated to be £100 million (FinancialTimes.com, 2025).
By November 2024, the BBC reported that M&S’s profits were practically wiped out by the attack thanks to disrupting both online and in-store purchases. Specifically, “…statutory profit before tax – a figure that reflects all costs for a period – slumped 99% from £391.9m to £3.4m for the first half of the year, compared with the year prior.” (BBC.com, 2025K)
Duration
The systems were compromised on April 22nd 2025. As of May 13th, they are still struggling to recover from the attack as they still suffer from supply issues and digital disruption (BBC.com, 2025F).
Marks & Spencer eventually released a full statement revealing their online services will continue to be disrupted until July 2025, decreasing their overall profits by an estimated £300 million (BBC.com, 2025G). This was later confirmed when M&S were able to restore online shopping systems, chiefly it’s click and collect service in August 2025, 15 weeks after the initial attack (BBC.com, 2025L).
On June 10th, Marks & Spencer have announced they have restarted online orders, allowing for online ordering and deliveries of fashion, beauty products and homeware across the UK (BBC.com, 2025H). This comes approximately 7 weeks after the initial Cyber-attack that crippled their online services on April 22nd. The retailer made a statement that despite customer data being stolen, there was no evidence that personal details, such as credit card information and account passwords, had been shared. Regardless, the retailer prompted their online customer base to change their account passwords just in case. (ITV.com, 2025).
Co-op and Harrods Attacks
Around the same time as M&S was targeted by ransomware in April 2025, Scattered Spider also attacked Co-op and Harrods, using similar tactics to also extort a bitcoin ransom from them.
Co-op
Like Victoria’s Secret, Scattered Spider attempted to infect Co-op’s systems in April (planbconsulting.co.uk, 2025), specifically targeting information related to its members, but were unsuccessful in spreading the damage to the wider organisation before Co-op took their own services offline, restricting access to the hackers whilst isolating the threat (Computerweekly.com, 2025D). Unfortunately, the data of 6.5m customers and members were still compromised, which Co-op CEO Shirine Khoury-Haq apologised for (Computerweekly.com, 2025B).
Co-op went on to experience similar financial losses to M&S, the hack having cost them an estimated £206m in lost revenue from stock deliveries and failed payments (BBC.com, 2025J) (Computerweekly.com, 2025A). Furthermore, a law firm that specialises in cybercrimes and data privacy had made a compensation claim for customers affected by their data breach starting from July 2025 onwards (kpl-databreach.co.uk, 2025)
Harrods
Harrods’s customer base also had their data breached in May as part of the attacks on C-op and M&S, also targeting their customer base. The hackers never made much progress, being unable to access and disable Harrods’s systems and they restricted internet access to their website as a precaution (theguardian.com, 2025B)
In September 2025, Harrods suffered from a separate IT breach where the contact information for 430,000 customers was compromised. Thankfully, since most of their customers shop in person instead of online, this was considerably a small portion of customer’s data stolen, which consisted of basic contact information and names. Harrods have been contacted by the hackers responsible but refused to elaborate (BBC.com, 2025M). So far, the incident been confirmed to be unrelated to Scattered Spider’s attacks, with Harrods revealing that the hackers targeted one of their third-party providers, highlighting how supply lines can be hindered by Hackers (computerweekly.com, 2025E).
Conclusion
A recent article in the Sunday times discussed how 80,000 bot accounts created by hackers in Brazil took down The Handbag Clinic, a small business that resells and repairs unwanted luxury handbags (Prevett, 2025) made an important point about the M&S hack; despite losing all profits between the cyberattack in March and September and spending millions on cyber recovery and specialists, M&S have still survived. As a large corporation they have the luxury to recover from such devastating losses; smaller businesses though may not be so lucky. It just goes to show how much damage a small team of determined hackers could do, and how important it is to always have a seamless cybersecurity.
Sources:
- BBC.com, (2025A): A letter from the M&S hackers landed in my inbox – this is what happened next: https://www.bbc.co.uk/news/articles/cgr5nen5gxyo
- BBC.com (2025B): M&S supplier resorts to pen and paper after cyber attack: https://www.bbc.co.uk/news/articles/cvgnyplvdv8o
- BBC.com (2025C): ‘They wanted $4m’: Lessons for M&S from other cyber attacks: https://www.bbc.co.uk/news/articles/cg72kg5yn2ko
- BBC.com (2025D): When will I be able to shop online at M&S again?: https://www.bbc.co.uk/news/articles/c0el31nqnpvo
- BBC.com, (2025E): M&S says customer data stolen in cyber attack: https://www.bbc.co.uk/news/articles/c62v34zv828o
- BBC.com (2025F): When will I be able to shop online at M&S again?: https://www.bbc.co.uk/news/articles/c0el31nqnpvo
- BBC.com (2025G): M&S cyber-attack disruption to last until July: https://www.bbc.co.uk/news/articles/c93llkg4n51o
- BBC.com (2025H): M&S restarts online orders after cyber attack: https://www.bbc.co.uk/news/articles/c4gevk2x03go
- BBC.com (2025I): Four arrested in connection with M&S and Co-op cyber-attacks: https://www.bbc.co.uk/news/articles/cwykgrv374eo
- BBC.com (2025J): Co-op says cyber-attack cost it £206m in lost sales: https://www.bbc.co.uk/news/articles/ckgq9dke4e5o
- BBC.com (2025K): M&S profits almost wiped out after cyber hack hit sales: https://www.bbc.co.uk/news/articles/c93x16zkl9do
- BBC.com (2025L): M&S click and collect returns 15 weeks after cyber attack: https://www.bbc.com/news/articles/cewyyjdzql4o
- BBC.com (2025M): Hackers contact Harrods after 430,000 customer records hit by IT breach: https://www.bbc.co.uk/news/articles/cpq5w324pd3o
- Bleepingcomputer.com, (2025A): Marks & Spencer breach linked to Scattered Spider ransomware attack: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
- Bleepingcomputer.com, (2025B): Marks & Spencer breach linked to Scattered Spider ransomware attack: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
- BleepingComputer.com (2025C): Marks & Spencer breach linked to Scattered Spider ransomware attack: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
- Computerweekly.com (2025A): Co-op declares cyber attack damage cost £206m: https://www.computerweekly.com/news/366632018/Co-op-declares-cyber-attack-damage-cost-it-206m
- Computerweekly.com (2025B): Co-op chief ‘incredibly sorry’ for theft of 6.5m members’ data: https://www.computerweekly.com/news/366627833/Co-op-chief-incredibly-sorry-for-theft-of-65m-members-data
- Computerweekly.com (2025C): M&S parts ways with CTO after cyber attack: https://www.computerweekly.com/news/366630565/MS-parts-ways-with-CTO-after-cyber-attack
- Computerweekly.com (2025D): Pulling the plug: A way to halt a cyber attacker in your network?: https://www.computerweekly.com/feature/Pulling-the-plug-A-way-to-halt-a-cyber-attacker-in-your-network
- Computerweekly.com (2025E): Harrods hit by second cyber attack in six months: https://www.computerweekly.com/news/366632066/Harrods-hit-by-second-cyber-attack-in-six-months
- Cybersecuritydive.com (2025): Victoria’s Secret postponing release of report earnings amid breach impact: https://www.cybersecuritydive.com/news/victorias-secret-postponing-earnings-breach/749665/
- Drapers.com (2025): M&S hit with lawsuit following customer data breach: https://www.drapersonline.com/news/ms-hit-with-lawsuit-following-customer-data-breach
- FinancialTimes.com (2025): M&S cyber insurance payout to be worth up to $100m: https://app.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
- Investor’s Chronicle (2025) 27 June – 3 July, Can M&S avoid becoming a fashion victim?
- Itpro.com (2025): M&S calls in NCSC after ‘cyber incident’ disrupts customer payments, online orders: https://www.itpro.com/business/m-and-s-calls-in-ncsc-after-cyber-incident-disrupts-customer-payments-online-orders
- ITV.com (2025): M&S resumes online orders six weeks after cyber attack: https://www.itv.com/news/2025-06-10/m-and-s-resumes-online-orders-six-weeks-after-cyber-attack
- kpl-databreach.co.uk (2025): Co-op Data Breach Compensation Claim: Has your personal data been compromised in the Co-op cyberattack?: https://www.kpl-databreach.co.uk/the-co-op/
- planbconsulting.co.uk (2025): The Co-op Cyber attack – A Timeline Case Study: https://planbconsulting.co.uk/knowledge-zone/the-co-op-cyber-attack-a-timeline-case-study/
- Theguardian.com (2025A): M&S cyber-attack linked to hacking group Scattered Spider: https://www.theguardian.com/business/2025/apr/29/m-and-s-cyber-attack-linked-to-hacking-group-scattered-spider
- Theguardian.com (2025B): Harrods warns customers their data may have been stolen in IT breach: https://www.theguardian.com/business/2025/sep/26/harrods-warns-customers-their-data-may-have-been-stolen-in-it-breach
- Retailgazette.com (2025A): M&S chair says DragonForce was behind cyber attack: https://www.retailgazette.co.uk/blog/2025/07/ms-cyber-attack-fbi/
- Retailgazette.com (2025B): M&S apologises after contactless payments fail across UK stores: https://www.retailgazette.co.uk/blog/2025/04/ms-contactless/
- Reuters.com (2025): Victoria’s Secret says cyber incident led to temporary website shut down: https://www.reuters.com/business/victorias-secret-says-cyber-incident-led-temporary-website-shut-down-2025-06-03/
- Sunday Times, (2025A): Marks & Spencer shuts out WFH staff after cyberattack
- Sunday Times, (2025B): Cyber contagion: high street hacking fallout spreads to small firms
- Prevett, S (2025): The Weekend 80,000 Bots from Brazil Crashed a Handbag Website. Article published by The Sunday Times