M&S Cyberattack: What Happened and Why?

In late April 2025, Marks & Spencer suffered a cyberattack which disrupted both its online operations and in-store services. Customers were unable to purchase from the M&S website, while some shelves were left bare in M&S stores across the UK. The company’s market capitalisation dropped by £1 billion, ^[1] and customer data was allegedly stolen by the cybercriminals.

But what kind of cyberattack was it, and why did it happen?

M&S chief executive, Stuart Machin, said his team had first spotted "suspicious activity" over the Easter weekend.^[2] M&S had been targeted in a cyberattack that had scrambled the company's servers, forcing the team to take down its online system in order to protect the store and customers. It is expected that the online ordering system will not be back to normal until July.

The cyberattack was revealed to be a ransomware attack. This is a type of attack which prevents you from accessing your data, usually by encrypting your files, and then cybercriminals will demand a ransom in exchange for decrypting them.

Problems were noticed by customers when they found themselves unable to use Click & Collect or contactless payments in-store. Customers were also unable to order items from the M&S website, and stock availability in-store was also disrupted.

M&S estimates that the cyberattack will impact 2025’s profits by roughly £300m.^[3]

M&S confirmed that the following customer data could have been stolen from its systems:

• Name

• Date of birth

• Telephone number

• Home address

• Email address

• Online order history ^[4]

However, any card payment data that was compromised would be unusable, as M&S does not hold full card payment details on its systems.

While M&S has said customers do not need to take any action, the company stated that users will be prompted to reset their password for their online account. They also issued a reminder that M&S will never contact customers to ask for personal account information like usernames or passwords.

Lisa Barber,^[5] tech editor at consumer group Which?, advised that customers should change their passwords as soon as possible, and that customers should use different passwords for different websites.

Detectives have been looking into a hacking group named Scattered Spider,^[6] believed to be made up of English-speaking teens and young adults from the UK and USA. They used an affiliate cybercrime service named DragonForce to carry out the ransomware attack, targeting a third party who works with M&S - the Indian IT giant Tata Consultancy Services.

The hackers used social engineering to gain access to the systems, which means that they trick an employee into giving out passwords or login access, usually by posing as someone trustworthy.

M&S’s loss in profits - about 30% of their yearly estimate^[7] - shows the damage a ransomware attack can do to a company. The fact that it impacted not only their online business, but payments and stock in-store, also demonstrates how far the damage can stretch. Thankfully, as the company had cyber insurance in place, some of the damage will be mitigated. M&S have also stated that they will be cutting costs to recoup their losses, which indicates they had a plan in place in the event that a cyberattack occurred.

Businesses should stay aware of the danger of social engineering when it comes to hackers. Whether your online systems are managed in-house or by a third party, employees should be aware of the tricks and scams that hackers attempt to pull, such as phishing emails.

Sources

[1] techradar.com/pro/security/m-and-s-hack-may-have-been-caused-by-security-issues-at-indian-it-giant-tata-consultancy-services

[2] bbc.co.uk/news/articles/c93llkg4n51o

[3] bbc.co.uk/news/articles/c0el31nqnpvo

[4] bbc.co.uk/news/articles/c62v34zv828o

[5] bbc.co.uk/news/articles/c62v34zv828o

[6] dailysecurityreview.com/security-spotlight/marks-spencer-cyberattack-tied-to-scattered-spider-ransomware-group

[7] bbc.co.uk/news/articles/c0el31nqnpvo