Cyber attack disrupts Marks & Spencer services
Learn More
Marks & Spencer (M&S), a veteran UK retailer, has experienced a significant cyber attack that has caused considerable disruption to customer-facing services. The disruptions occurred during the Easter Bank Holiday period, causing inconvenience to numerous customers who took to social media to express their frustration.
The incident has impacted several critical operations of the retail giant, including:
- Contactless payment systems
- Online click-and-collect services
The nature of the attack, any exposed data or number of impacted individuals are not disclosed.
M&S has acknowledged the incident and made temporary changes to store operations to protect customers and the business. They also enlisted third-party cyber forensics experts to assist with incident management and reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC)
Despite the disruptions, M&S has confirmed that their stores remain open, and their website and app continue to operate normally.
Update - as of 27th of April 2025, Marks & Spencer (M&S) has suspended all online orders and implemented security measures that prevent remote-working employees from accessing certain IT systems as the company works to recover from the cyberattack. The retailer has shut down specific programs that staff typically use to log into internal systems when working outside the office.
Cybersecurity experts view this measure as a likely containment strategy to prevent the cyberattack from spreading further throughout M&S's IT infrastructure.
As of 28th of April 2025, it's believed that the incident is caused by a ransomware attack conducted by a hacking collective known as "Scattered Spider". Apparently the hackers breached M&S in February and stole the Windows domain's NTDS.dit file. This file is the main database for Active Directory Services running on a Windows domain controller and contains the password hashes for Windows accounts. The hackers extracted the passwords and cracked them to expand the attack and steal data.
As of 2nd of May 2025, the ransomware gang DragonForce Ransomware Group took responsibility for the attack. It's possible Scattered Spider is collaborating with DragonForce, using their ransomware.
As of 12 of May 2025, Marks & Spencer has confirmed that customer data was stolen as part of its cyberattack. The stolen customer information includes:
- Names
- Dates of birth
- Telephone numbers
- Home addresses
- Household information
- Email addresses
- Online order histories
The retailer enforced password resets for all M&S.com account holders. The number of affected individuals is still not disclosed.
As of 17th of May 2025, it's believed the hackers have gained entry through a third-party vendor with legitimate access to the retailer's systems. Citing an unidentified source, Reuters reported hackers used the M&S login credentials of two Tata Consulting Services employees. TCS is a Mumbai-based IT consultancy firm that handles the British retailer's digital operations across its supply chain, stores and merchandising.
As of 6th of June 2025, BBC reports that the DragonForce ransomware gang sent a taunting email to CEO Stuart Machin on April 23 using a compromised account belonging to a Tata Consultancy Services (TCS) employee. The report increases the concerns that the attack may have originated through M&S's long-term IT services provider TCS.
