Marks & Spencer Breach: How A Ransomware Attack Crippled a UK Retail Giant

In April 2025 Marks & Spencer (M&S) disclosed a cyberattack that severely disrupted its business and cost the company hundreds of millions of pounds.

In late April 2025 M&S warned investors that the incident, which it identified as a ransomware breach, would likely drag on through June/July and shave roughly £300 million off its annual profit.

The retailer has 65,000 staff and over 1,400 stores, and the attack forced it to shut down automated ordering and stock systems. In effect M&S had to revert to pen-and-paper to track fresh food and clothing supplies, leaving some shelves bare and fueling customer frustration.

Here’s a detailed timeline of what has happened so far:

1. Easter Weekend 2025 (Apr 19–21) – Customers nationwide begin experiencing glitches in M&S stores. Contactless card payments and “Click & Collect” order pickups suddenly fail in many outlets. By Monday April 21 contactless tills and order collection systems are down across the chain. Company insiders later confirmed that these unexplained outages were the first signs of the cyber incident.
2. Apr 22, 2025 – M&S issues a formal statement to the stock market. It acknowledges a cyber incident but stresses that stores remain open and its website/app are still running (though some in-store processes have been modified for safety). The company reports the breach to the UK’s National Cyber Security Centre and hires external experts to contain the problem. At this stage M&S assures customers their data is safe.
3. April 23, 2025 – According to news reports in early June, M&S CEO Stuart Machin was sent a message from hacking group DragonForce using an employee email account. The email confirmed that M&S was hacked by the ransomware group, who allegedly encrypted all the company’s servers.
4. Apr 25, 2025 – Online shopping is suspended. After assessing the scope of the hack, M&S halts all purchases via its website and mobile app. This follows days of in-store disruption. Automated inventory and sales systems were already switched off to limit damage, so stores are forced to fulfill urgent needs manually. Newswires report that food halls ran low and some gift-card terminals, returns kiosks and loyalty services remained offline.
5. Late April – Early May 2025 – Disruptions persist. By early May the online shop is still down, and the retailer warns that restoration could take weeks. Stores are limping along with manual processes – workers even physically checking fridge temperatures – and customers are told to expect ongoing inconvenience. M&S executives repeatedly apologize for the disruption and promise updates when available.
6. May 13, 2025 – Stolen data revealed. M&S confirms that hackers stole personal customer information as part of the attack. The compromised data include names, addresses, email addresses, phone numbers, dates of birth and online order histories. M&S emphasizes that no full payment card details or passwords were taken. The company notifies all affected users and resets their passwords out of caution.
7. May 21–22, 2025 – Ongoing impact and recovery plan. In its annual results presentation, M&S quantifies the hit: roughly £300 million lost profit and forecasts online sales disruptions lasting into July. The retailer brings its website back up (read-only) on the evening of May 21. Meanwhile, police and cybercrime agencies announce that they are focusing on a known hacking group – Scattered Spider – as suspects in the M&S breach.
8. June 10, 2025: M&S resumed taking online orders for some clothing lines after a 46-day hiatus following the damaging cyberattack.

Investigators have identified the M&S attack as a ransomware incident with a classic double extortion tactic: criminals encrypted company systems and exfiltrated data, then demanded payment to decrypt and delete the stolen files. DragonForce ransomware gang claimed the attack, with this claim being solidified by the ransom note received by the company’s CEO. Within days of the M&S breach it was also hitting other UK firms (Co-op supermarket and Harrods). Scattered Spider network, a group of young hackers across the US and UK, was also connected to the incident.

How did the attackers get in?

The breach appears to have originated through a third-party supplier. M&S’s IT helpdesk is run by Tata Consultancy Services (TCS), and executives later admitted that the hackers first compromised this contractor. In practice, the attackers used social engineering to trick helpdesk staff into handing over access: they rang support desks posing as internal IT, obtained credentials or password resets, and then infiltrated the M&S network. CEO Stuart Machin bluntly told reporters M&S was simply “unlucky … through human error” – the malicious calls fooled staff despite the company’s security investments. In other words, the attackers rang M&S suppliers and employees, exploiting trust and the fact that their callers were native English speakers. Once inside, the hackers deployed the DragonForce ransomware to encrypt data and steal customer records.

The operational impact on M&S has been severe. With core IT systems offline, stores could not scan or automatically track millions of products. M&S had to shift to manual workarounds: stock deliveries and fresh-food shipments were logged on paper, causing shelves to go empty. Staff even manually checked refrigerator temperatures because automated monitors were down. Key services were disrupted for weeks: contactless payments and Click & Collect were down at Easter; gift-card terminals and returns kiosks malfunctioned; and the Sparks loyalty program halted. Customer complaints flooded social media, prompting M&S to publicly apologize and urge patience (noting stores and its website were still open).

Customers are also worried about the data breach. Although no credit card data or passwords were stolen, the leaked personal information (names, addresses, birthdays, order histories) can facilitate targeted fraud. Cyber experts immediately advised all M&S shoppers to stay aware of phishing attacks. For example, NCC Group’s Matt Hull warned that criminals could use the stolen data to craft “very convincing scams” posing as M&S. In response, M&S forced password resets for all online accounts and has been reminding users that it will never ask for sensitive data by email or phone.

The financial and reputational hit has also been heavy. Analysts at Deutsche Bank estimate an immediate £30 million profit loss plus about £15 million of additional weekly lost profit until systems are fully restored. The stock market reacted badly: at one point the attack wiped roughly £750 million off M&S’s market value. Company forecasts now account for about £300m of lost operating profit in 2025/26. Much of this will be offset by insurance, but directors warn that the longer the outage lasts, the greater the unrecoverable loss. On a brighter note, analysts believe the brand’s long-term health is likely intact. Several retail analysts emphasize that M&S enjoyed strong consumer support – indeed some customers said they were shopping in stores in solidarity.

Cybersecurity experts stress that many of M&S’s challenges were preventable with stronger basic defenses and controls. A consensus view is that fundamental measures, if properly implemented, could have thwarted the attack or limited its impact.

Some of the key recommendations that most will agree on include:

1. Strong Multi-Factor Authentication. All remote-access tools and employee accounts should have strong MFA. If the supplier helpdesk had required a second factor for password resets or admin logins, the simple phone-based breach might not have succeeded.
2. Third-Party Risk Management. Vendors and MSPs should be tightly controlled. Best practice is to give external contractors only the minimum privileges they need, and to segment their access from core systems. In this case, isolating the helpdesk environment (or using just-in-time virtual machines) could have prevented attackers from pivoting into M&S’s main network.
3. Employee Training and Verification. Because the intrusion began with social engineering calls, security awareness would have been useful. Regular drills and strict procedures (e.g. requiring call-back verification or helpdesk ticket tracking) can ensure that support staff never blindly follow an unscheduled phone request. Employees must be trained to question unexpected requests for credentials or system changes.
4. Email and Network Defenses. A layered email security stack and phishing simulations are important. Advanced malware scanning, anomaly detection and network segmentation (so that one host compromise cannot encrypt all systems) are also needed. M&S has since said it is accelerating its multi-year tech upgrade into just a few months.
5. Backups and Incident Plans. A tried‑and‑true defense against ransomware is to maintain offline or immutable backups of all data and system images. If M&S had air‑gapped backups, it could have restored systems without paying ransom. Likewise, a rehearsed incident response plan (from the UK’s NCSC or CISA playbooks) enables faster recovery.

Most organizations think of ransomware as an encryption problem. But attacks like the one on Marks & Spencer begin long before any files are locked. The real damage starts with data quietly leaving the network, customer records, internal documents, and system configurations, exfiltrated over days or weeks before the ransom note ever appears.

This is where anti data exfiltration (ADX) comes in.

The ransomware group used a double extortion strategy. After gaining access via a social engineering phone call, they spent time inside the network harvesting sensitive customer data. Only once that data was successfully exfiltrated did they deploy the DragonForce ransomware to encrypt systems and demand payment. Traditional security tools didn’t catch the outbound data transfers. That’s because most legacy solutions focus on preventing inbound threats or detecting malware post-infection – not monitoring for outbound data theft in real time.

ADX solutions like BlackFog are designed specifically to address this blind spot. By blocking unauthorized data flows to external destinations, including C2 infrastructure, anonymizing networks, or cloud drives, ADX cuts off the attacker’s ability to steal and monetize data. It also halts payload downloads delivered through ad networks (a method frequently used by Scattered Spider affiliates). In other words, ADX doesn’t just detect breaches; it prevents attackers from turning access into impact.

Had M&S deployed ADX across its endpoints, it’s likely that the data exfiltration phase would have been blocked outright – neutralizing the leverage that made the breach so damaging. Instead of negotiating under threat of exposure and encryption, M&S could have caught the intrusion early, contained the threat, and avoided the reputational and financial fallout.

Learn how BlackFog can protect your business at BlackFog.com.