Marks & Spencer (M&S) has recently confirmed “pockets of limited availability” across some of its stores following a significant cyber attack that temporarily disrupted parts of its IT systems. The British retailer has been grappling with the fallout from this incident for over a week, which has resulted in millions being wiped off its market value. With approximately 64,000 employees and more than 1,400 stores globally, M&S is actively investigating the breach and its implications.
Here’s what we know so far about the M&S cyber attack.
What Happened in the M&S Cyber Attack?
Marks & Spencer first revealed the cyber attack on Monday, April 21, after customers reported payment issues and delays in receiving online orders. In an email to shoppers, M&S chief executive Stuart Machin stated, “Over the last few days, M&S has been managing a cyber incident. To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.” He reassured customers that stores remained open and that the website and app were operating normally, urging them not to take any action unless further updates were provided.
Experts have described the incident as a severe ransomware attack. Dan Card, a cyber expert at BCS, the chartered institute for IT, characterized it as “a pretty bad episode of ransomware,” noting that recovering from such events is both technically and logistically challenging. Ransomware is a type of malicious software that locks or encrypts a victim’s data, demanding payment—often in cryptocurrency—to restore access.
Who Was Behind the M&S Cyber Attack?
The attack is believed to have been orchestrated by a group known as Scattered Spider, also referred to as UNC3944, Octo Tempest, or Muddled Libra. This group is suspected of breaching M&S systems as early as February 2025, allegedly stealing sensitive data, including the Windows domain’s NTDS.dit file, which contains user credentials. They are also believed to have deployed ransomware to encrypt parts of M&S’s infrastructure.
Scattered Spider is notorious for employing advanced social engineering tactics, including phishing and multi-factor authentication (MFA) fatigue attacks. Phishing tricks users into revealing sensitive information, while MFA fatigue involves overwhelming users with repeated login requests, hoping they will approve one out of frustration or confusion. Graeme Stewart, head of public sector at security company Check Point, described Scattered Spider as “one of the most dangerous and active hacking groups we are monitoring.” Since their emergence in 2022, they have been linked to over 100 targeted attacks across various industries, including telecoms, finance, retail, and gaming.
Reports indicate that DragonForce ransomware was deployed to VMware ESXi hosts on April 24 to encrypt virtual machines. The group reportedly gained access to M&S systems and remained undetected for weeks. Following the breach, M&S enlisted cybersecurity experts from CrowdStrike, Microsoft, and Fenix24 to help investigate and contain the incident.
What Impact Has the Cyber Attack Had on M&S?
The repercussions of the cyber attack have been significant. Nayna McIntosh, a former M&S executive and founder of Hope Fashion, likened the decision to halt online orders to “cutting off a limb.” Susannah Streeter, head of money and markets at Hargreaves Lansdown, emphasized that the pause on online orders would be “hugely damaging for sales.” She noted that fashion sales are likely to take a substantial hit, particularly as the attack coincided with warm weather when summer ranges would typically be gaining traction in virtual shopping carts.
Moreover, the attack has had a tangible impact on M&S’s market value. Shares fell by 2.2% to 377.3p on Monday morning, with over £700 million wiped from the company’s market capitalization since the incident. The depth of M&S’s challenges in resolving the issue raises concerns about its ability to regain customer trust in the aftermath of such a disruptive event.
As Marks & Spencer continues to navigate the complexities of this cyber attack, the focus remains on recovery and safeguarding its operations against future threats. The incident serves as a stark reminder of the vulnerabilities that even established retailers face in an increasingly digital landscape.