Avoiding Being Marks & Spencer

As Marks & Spencer resume some online orders, we review what happened, how it happened and how you can prevent it happening to you. 

In late April 2025, Marks & Spencer (M&S), a household name in the UK, found itself in the middle of a serious cyberattack. A sophisticated strain of ransomware—known as DragonForce—was unleashed by the notorious Scattered Spider gang, bringing M&S’s online clothing, homeware, and beauty shopping to a standstill. Payment systems like click-and-collect and contactless also went offline, and millions of customers had their personal details accessed. The attackers got in through a vulnerable third-party IT help desk, wiping out an estimated £300–400 million in profits and slashing the company’s market value by over £1 billion. Rebuilding its digital infrastructure will likely stretch into July.

How the hackers got in 

The breach started when hackers targeted a vendor—specifically a Tata Consultancy Services (TCS) help-desk employee—via social engineering. By posing as legitimate M&S staff, they tricked the contractor into handing over credentials, which then opened the door to M&S’s internal systems.  

What they did

Detected around the Easter weekend, the attack was both bold and damaging: 

• Ransomware strike: DragonForce encrypted servers across critical systems. 

• Data theft: Names, emails, dates of birth, order histories—and even masked customer account references—were stolen. Thankfully, no usable payment or password data was taken. 

What was the impact

• Financial punch: Losses were clocking in around £40 million per week, with a projected £300 million hit to annual profits.  

• Market shock: M&S’s valuation fell more than £700 million, a result of revenue loss and shaken consumer confidence.  

• Trust eroded: Customers were frustrated and wary—being unable to shop or redeem vouchers shook their faith in the brand.  

• Insurance puzzle: With a claim estimated at around £100 million, cyber-insurers may not cover everything—adding more uncertainty. 

• Some services still unavailableincluding click & collect, express delivery options and shipping outside of the UK. 

What does this mean for your business

This incident shows ransomware doesn't just break through firewalls—it breaks through people. Here’s the layered defence every organisation should embrace: 

• Lock down third-party access: Enforce MFA, strict access profiles, and regular vendor audits. 

• Out-of-band verifications: Never reset or disable MFA over email or a single phone call—always confirm credentials via established internal channels. 

• Fight social engineering: Regular phishing and vishing drills, paired with ongoing staff education, help strengthen the human firewall. 

• Detect lateral movement: Use SIEM/EDR tools to flag unusual activity like massive credential use or NTDS access. 

• Secure backups: Keep critical data offline and encrypted, and routinely test your recovery procedures. 

This high profile breach serves as a wake-up call: no organisation is immune. It's not just about investing in technology, but building resilience in people and processes. Prevention doesn't require perfection, but vigilance - and readiness to respond when someone tries to tick you.