Introduction
Marks & Spencer (M&S) recently experienced a significant ransomware attack attributed to the hacking group Scattered Spider [3]. This incident has caused substantial operational disruptions and financial losses, highlighting vulnerabilities in M&S’s cybersecurity defenses and the increasing threat of cyber-attacks in the retail sector.
Description
Marks & Spencer (M&S) recently faced a significant ransomware attack on April 22, 2025, attributed to the hacking group Scattered Spider [4] [9], also known as 0ktapus, Starfraud [9], and Muddled Libra [9]. This English-speaking collective [10], which includes members from both the UK and the US, is notable for its atypical composition, as most similar groups are typically based in Russia [6]. Some of its members are reportedly as young as 16 years old [6]. The attack caused major disruptions across M&S’s 1,400 stores, including halted online ordering and payment system failures [3], leading to operational chaos [8], empty shelves [5] [9], lost sales [8], and customer frustration [8]. Financial losses are estimated to exceed £3.5 million to £3.8 million per day, with a potential market valuation drop of £500–700 million, resulting in a share price decline of over 14% [3].
The breach compromised personal customer data [8], including names [3] [4] [8] [10], addresses [8], contact details [2] [4], dates of birth [2] [4], and order histories [2] [4] [8], while sensitive information such as payment card details and passwords remained secure [8], thereby reducing immediate financial risks [9]. CEO Stuart Machin confirmed that while some personal customer information was taken [1], there is no evidence that it has been shared [1]. Experts have labeled the attack a classic ransomware scenario, where access to critical systems is restricted until a ransom is paid [7]. M&S has been hesitant to meet ransom demands [7], which are typically made via the Dark Web and requested in cryptocurrency [7].
Investigators revealed that the attackers gained access to M&S systems by obtaining the NTDS.dit file from a Windows domain controller [3], which contained hashed employee credentials likely acquired through social engineering tactics such as phishing and multi-factor authentication (MFA) bombing [3]. Cybersecurity expert Dr [2] [4] [5] [8]. Ian Batten indicated that the hackers may have breached M&S’s systems as early as February [5], potentially waiting months to execute the attack [5], which could have compromised backups and made recovery difficult [5]. In response to the breach, M&S has engaged cybersecurity experts to investigate the incident and is cooperating with UK authorities [8], including the National Crime Agency and the National Cyber Security Centre (NCSC), which is leading the investigation [2]. The company has temporarily suspended online shopping and will prompt users to reset their passwords at the next login as a precaution, advising customers to be vigilant against phishing attempts and to monitor for suspicious communications [1]. M&S emphasizes that it will never ask for passwords and recommends using unique [1], strong passwords for online accounts [1].
Tim Mitchell [6], a senior security researcher at Secureworks [6], noted that the group’s motivations may include a desire for notoriety in addition to financial gain [6]. The incident has highlighted vulnerabilities in M&S’s cyber defenses [7], particularly concerning their reliance on third-party IT services and a hybrid work model that may expose them to additional risks [7]. Cybersecurity experts warn that the stolen information could be exploited for targeted scams and phishing attacks [2], even without the compromise of sensitive financial information [9]. M&S is committed to enhancing its cybersecurity measures to prevent future incidents [8], recognizing the increasing prevalence of cyber threats in the retail sector [8]. Customers are encouraged to monitor their bank statements for suspicious activity and stay informed about updates from M&S [8].
Investigators have noted that the tactics used in this attack bear similarities to those of Scattered Spider [2], which is believed to consist of around 1,000 young men and teenagers in the UK and US [2], and has connections to malware developed by the Russian-linked group BlackCat/ALPHV [2]. Google’s Threat Intelligence Group (GTIG) has indicated that Scattered Spider is aggressive and skilled at bypassing security measures, often employing social engineering [5] [10], phishing [1] [2] [3] [9], and MFA fatigue attacks to infiltrate targets. The Information Commissioner’s Office is also investigating the incident alongside the NCSC [2], which has highlighted the increasing threat of ransomware and extortion attacks affecting retailers [4], emphasizing the use of “ransomware as a service” by hacking groups [4]. Tyler Buchanan [2], a suspected ringleader of Scattered Spider [2], has been arrested and faces multiple charges related to cybercrime [2].
The increasing sophistication and frequency of cyber-attacks pose significant challenges for businesses [7], with a notable rise in ransomware incidents reported in the UK [7]. The impact of such attacks can be devastating [7], with only a small percentage of organizations recovering all their data after paying ransoms [7]. M&S has issued guidance to customers regarding potential phishing attempts and has advised them to reset their passwords for security [2]. Additionally, the incident has caused disruptions in the supply chain [2], affecting various partners of M&S [2], including Greencore and Nails Inc. [3], who have had to revert to manual processes to meet demand [3]. Certain services [9], such as gift card acceptance and returns for food items [9], are currently unavailable [9]. Customers should be cautious of any communications requesting personal information and avoid clicking on attachments or links from unknown senders [1], taking proactive measures to monitor their identity and stay informed about potential threats [1].
Conclusion
The ransomware attack on M&S underscores the critical need for robust cybersecurity measures in the retail sector. The incident has not only resulted in significant financial and operational impacts but also exposed vulnerabilities that require immediate attention. M&S’s response, including engaging cybersecurity experts and cooperating with authorities, is crucial in mitigating the effects of the breach. Moving forward, enhancing cybersecurity protocols and educating customers on potential threats will be vital in safeguarding against future attacks.
References
[1] https://www.bitdefender.com/en-us/blog/hotforsecurity/marks-spencer-confirms-customer-data-was-stolen-in-ransomware-attack-heres-what-you-need-to-know
[2] https://nationalsecuritynews.com/2025/05/marks-spencer-admits-customer-data-stolen-in-devastating-1bn-cyber-hack/
[3] https://www.mimecast.com/blog/human-error-at-the-heart-of-recent-ransomware-attacks-on-uk-retail-giants/
[4] https://www.deeside.com/marks-spencer-confirms-customer-data-stolen-in-cyber-attack/
[5] https://metro.co.uk/2025/05/13/surprising-tactics-hackers-targeting-major-firms-like-m-amp-s-co-op-23077018/
[6] https://www.lbc.co.uk/news/explained/was-my-data-stolen-m-and-s-cyber-attack/
[7] https://www.cybersecurityintelligence.com/blog/the-growing-ransomware-crisis-8427.html
[8] https://stories.jobaaj.com/news-updates/market/marks-spencer-cyberattack-what-happened-and-what-it-means-for-you
[9] https://www.cybersecurityintelligence.com/blog/the-attack-on-mands-reverberates-three-weeks-later-8392.html
[10] https://www.computerweekly.com/news/366623999/Scattered-Spider-retail-attacks-spreading-to-US-says-Google
