British high-street retailer Marks & Spencer (M&S) was shaken over an Easter weekend-commencing cyberattack, which was confirmed on April 22, 2025 (TechCrunch). The attack, aside from bringing operations to a standstill at M&S, also highlighted the vulnerabilities of the retail industry to newer cyberattacks. The attack, which was coordinated by the Scattered Spider cyber-attack group, was carried out using the DragonForce ransomware on the systems of the company. The following is what the attack was, what effects it had, and what impact it will have on the retail cybersecurity of tomorrow.
The Assault: Organized and Well-Planned
The assault occurred after suspicious activity was detected within its systems over the Easter holiday. It was on April 22 that M&S announced a cyber assault and published notices for business resilience and for the protection of customers. It was the work of the group Scattered Spider, which specializes in high-level social engineering and ransomware methods, and was responsible for high-profile assaults on MGM Resorts and Caesars Entertainment beforehand.
Scattered Spider, we are told, could have infiltrated the systems at M&S back in February 2025, stealing with it reportedly the Windows domain NTDS.dit file—a system directory services file containing sensitive credentials. This was a clearly-prepared, long-term plan and attack. It had an impact on contactless payments, online orders, and picking up in store to mention but a few, causing major systems disruption on a massive scale (Al Jazeera).
| Affected Area | Details |
|---|---|
| Online Orders | Suspended for over a week, leading to a daily loss of £3.8 million (The Guardian). |
| In-Store Operations | Automated stock systems were disabled; manual temperature checks for refrigerators were required, causing stock shortages (The Guardian). |
| Deliveries | Some packaged food deliveries to Ocado were halted (The Guardian). |
| Payment Systems | Contactless payments and gift cards were initially disrupted. Contactless payments were later restored; Sparks loyalty program still affected (The Guardian). |
| Food Waste | Increased due to disruptions in donation and discount processes. Donations have since resumed (The Guardian). |
Operational Impact: A Giant Struggles
The attack disrupted significantly both the physical and the internet businesses of M&S. As Britain’s retail behemoth that accounted for a third of Britain’s lingerie purchases and was renowned for food and homewear, M&S was plagued by numerous logistic issues (The Guardian).
Economically, the data breach erased £750 million from the value of M&S and can be expected to cut profits by up to £30 million a year, but losses are currently running at £15 million per week (The Guardian). The damage is reputational as well as economic.
Company Response: Battle the Situation
M&S acted swiftly to combat the crisis. Chief executive Stuart Machin calmed customers, encouraging them to shop at branch while maintaining the firm was “working day and night” to mend the issues. M&S employed outside cybersecurity experts and reported the issues to data protection bodies. The Metropolitan Police and National Crime Agency (NCA) also opened investigations.
However, complete system recovery still proves difficult. Complete website recovery has been pegged at weeks, and complete systems restoration, at months (The Guardian). While being open about its 32 million yearly customers (TechCrunch), it has still not been ascertained whether customers’ data has or hasn’t been hacked. Account password resets being triggered have been reported, which can be an indicator that there is one, but that has been unconfirmed (BleepingComputer).
Expert Opinion: A Even Larger Danger
Based on cyber security knowledge, the attack on M&S and other companies has significant ramifications for both M&S and the retail industry as a whole:
Adam Cochrane, Deutsche Bank: “We have been unable to establish that customers’ data have been stolen, and we don’t expect any brand damage to be permanent. When the problem is resolved, the shares will recover.”
Kate Calvert, Investec: “M&S is properly funded, and the effect from the event will only be seen next year.”
Toby Lewis, Darktrace: “Scattered Spider may have reused the breach access credentials for other attempts at attacking retailers, so there’s now additional threat to the industry” (The Guardian).
Aiden Sinnott, Secureworks: “The talks between the hackers may still proceed, and a ransom can be requested through cryptocurrency” (The Guardian).
These views indicate that the threat is neither to a particular firm but is an evolving threat to the retail industry.
The Broader Picture: Growing Challenges for Retail
The M&S attack forms part of an overall increase in cyberattacks against the retail industry. Harrods and the Co-op Group quickly followed, which had been affected by the identical cyberattacks (Al Jazeera, The Guardian). The UK National Cyber Security Centre (NCSC) helped the targeted businesses, recommending increased improvement in cybersecurity across the industry (NCSC). These incidents make clear that there needs to be more investment in retail cybersecurity. Protecting customers’ data and critical infrastructure is now a requirement, not an option. The M&S fiasco is a wake-up call: cyber security must be an integral part of operational resilience.
