When Marks & Spencer announced on April 22, 2025 that it had been crippled by a ransomware strike, shoppers across the United Kingdom suddenly found contactless tills and Click‑&‑Collect kiosks dead in the water.
Here's the thing: the breach began in February, when a group of cyber‑criminals slipped past the retailer's defenses by stealing a critical Windows file called NTDS.dit – essentially a vault of password hashes for every user on the corporate network. The thieves then deployed the notorious DragonForce ransomware, encrypting virtual machines that run everything from inventory to point‑of‑sale systems. By Easter weekend (April 19‑21), the disruption was obvious: queues grew, staff resorted to manual cash registers, and online orders vanished.
How the Attack Unfolded
According to threat‑intel firms CM Alliance and Sangfor, the entry point was classic social engineering. An actor posing as a senior employee convinced a third‑party IT contractor to reset a password, granting the hackers a foothold on the domain. Archie Norman, Chairman of Marks & Spencer later confirmed in a televised interview that "the impersonation was sophisticated – the caller knew internal acronyms and had the right tone".
Once inside, the crew – identified by security researchers as the hacking group Scattered Spider (also known as UNC‑3944) – extracted the NTDS.dit file, cracked the hashes, and moved laterally across the network. Their payload, DragonForce ransomware, began encrypting data on April 19, 2025, precisely when many customers were hunting for Easter ham and chocolate eggs.
Immediate Business Impact
On April 21, all contactless payment terminals and gift‑card kiosks were down chain‑wide. The company suspended online sales on April 25, estimating a daily loss of about £3.8 million. Analysts at TechZine warned that the five‑day shutdown could shave roughly £300 million off the retailer's bottom line.
- Stock ticker fell more than £500 million in market value within a week.
- Estimated total financial hit: £270 million – £440 million (≈ $363 million – $592 million).
- Customer data – names, birth dates, addresses, phone numbers and purchase histories – were exposed, though payment details were not stored.
- The Cyber Monitoring Centre (CMC) classified the incident as a "Category 2 systemic event" affecting both Marks & Spencer and Co‑op.
Response from Leadership and Regulators
On April 22, Marks & Spencer filed a notice with the London Stock Exchange, reassuring investors that physical stores remained open and the website was still reachable, albeit with limited functionality.
Later that week, Stuart Machin, Chief Executive Officer received a chilling email from the DragonForce group via an employee address, claiming the entire server fleet was encrypted. Machin responded publicly on May 13, stating, "We have no evidence that any payment or password data was compromised, and we are working day and night to restore services and protect our customers."
The retailer also reported the breach to the National Cyber Security Centre and hired external experts from BlackFog and The Hacker News to contain the threat. Password resets were forced for all online accounts, and multi‑factor authentication was strongly recommended.
Customer Fallout and Expert Advice
BBC coverage on May 13 confirmed that the exposed data did not include "usable payment or card details". Still, the breach sparked a wave of phishing attempts targeting unsuspecting shoppers. Cybersecurity consultants urged customers to:
- Change passwords immediately, using unique phrases rather than simple words.
- Enable MFA on all financial and retail accounts.
- Monitor credit reports for unexplained activity.
- Beware of emails that reference "M&S" but contain suspicious links.
Financial Ripple Effects
Beyond the direct loss of sales, the attack rattled the entire UK retail supply chain. Suppliers reported delayed payments as M&S grappled with manual inventory reconciliation. Analysts at Bloomberg forecast a possible 2‑3% dip in the retailer's 2025 fiscal earnings, translating to roughly £400 million when the full year is tallied.
Interestingly, the incident coincided with a broader wave of ransomware campaigns targeting European supermarkets. The CMC's decision to bundle M&S and Co‑op under a single "combined cyber event" underscores a worrying trend: a single threat actor can leverage similar tactics across multiple retailers, amplifying systemic risk.
Looking Ahead – Will a Ransom Be Paid?
As of the latest update on May 26, 2025, Marks & Spencer had restored partial services, but order tracking and card redemption remained spotty. The company has not disclosed whether it paid any ransom to Scattered Spider. Industry experts, including those at Specops Software, note that paying a ransom rarely guarantees full data recovery and can embolden attackers.
Full restoration is projected for July 2025, assuming no further setbacks. In the meantime, the retailer is re‑engineering its cybersecurity posture, integrating zero‑trust architecture and expanding employee phishing training.
Frequently Asked Questions
How does the ransomware attack affect M&S customers?
Customers faced dead contactless tills, cancelled Click‑&‑Collect orders, and a temporary halt to online shopping. While payment card details were not stored, personal information like names and addresses was exposed, prompting mandatory password resets.
What caused the breach in the first place?
Threat actors from the Scattered Spider group used social engineering to trick a third‑party contractor into resetting a privileged account. They then stole the NTDS.dit file, cracked password hashes, and deployed DragonForce ransomware across M&S’s network.
Did Marks & Spencer pay a ransom?
The company has not confirmed any payment. Security experts warn that paying ransoms rarely ensures data recovery and may encourage further attacks, so M&S has focused on containment and system restoration instead.
What financial damage has the ransomware caused?
Estimates range from £270 million to £440 million in total impact, including £3.8 million lost each day the online store was down and a market‑value hit of over £500 million. Analysts project a potential £300 million hit to the 2025 earnings.
What steps should affected customers take?
Reset passwords immediately, enable multi‑factor authentication, monitor credit reports for unusual activity, and be skeptical of any emails claiming to be from Marks & Spencer that request personal information.
