Marks & Spencer took a massive blow to its online store and expected to suffer loss of 300 million in revenue with online services thought to be disrupted until July.
Over the Easter holidays 2025, Marks and Spencer,, a renowned British multinational retailer, faced a major ransomware attack that disrupted its operations and compromised customer data. This blog post delves into the details of the cyberattack, its financial repercussions, and the steps M&S is taking to recover and prevent future incidents.
Incident Overview:
The cyberattack occurred over the Easter weekend and was described as highly sophisticated and targeted. Marks & Spencer proactively shut down some systems to contain the breach, leading to temporary suspension of online shopping services. The disruptions were expected to last through July 2025.
Operational Disruption Overview:
The attack had a significant impact on Marks & Spencer’s operations. Online shopping services were temporarily suspended, affecting the availability of food, fashion, and home goods. Customers reported empty shelves and delayed deliveries.
Customer Data Compromised:
The cyberattack resulted in the theft of some personal customer data, including names, addresses, contact details, and order history. Marks & Spencer confirmed that payment information and passwords were not compromised but urged customers to remain vigilant.
Financial Impact:
The financial impact of the cyberattack on Marks & Spencer is substantial. The company is projected to lose approximately £300 million (around $400 million USD) in profits. This includes losses from reduced online sales, supply chain disruptions, and recovery efforts.
Financial Summary:
| Category | Estimated Loss (in £) | Estimated Loss (in $) |
| Reduced Online Services | £150 Million | $200 Million |
| Supply Chain Disruptions | £100 Million | $133 Million |
| Recovery Efforts | £50 Million | $67 Million |
| Total | £300 Million | $400 Million |
Response and Recovery Efforts:
In response to the cyberattack, Marks & Spencer is accelerating its technology improvement plan, originally set for two years, to be completed in six months. The company is investing in infrastructure, cybersecurity, and supply chain resilience to prevent future incidents.
Recovery Plan Summary:
| Initiative | Description | Timeline |
| Technology improvements | Accelerating technology upgrades | 6 Months |
| Cybersecurity investments | Enhancing cybersecurity measures | Immediate |
| Supply Chain Resilience | Strengthening supply chain management | Ongoing |
Who Pulled Off The Hack:
Scattered Spider is a cybercriminal group composed largely of young hackers from the United States and the United Kingdom, known for their expertise in social engineering and ransomware attacks. The group gained notoriety in 2023 after successfully breaching the internal systems of both MGM Resorts International and Caesars Entertainment.
This group is infamous for its advanced social engineering tactics, including phishing, SIM swapping, and multi-factor authentication (MFA) fatigue attacks, which they likely used to gain initial access to M&S’s systems as early as February 2025. Once inside, the attackers exfiltrated the NTDS.dit file, a critical Windows Active Directory component containing hashed credentials, allowing them to crack passwords offline and escalate their privileges.
With administrative access, they moved laterally through the network, identifying key systems before deploying DragonForce ransomware on April 24, 2025. This ransomware encrypted M&S’s VMware ESXi servers, effectively crippling online orders, warehouse logistics, and even in-store contactless payments. The motive behind the attack was financial, with the attackers demanding a ransom, although M&S has not publicly confirmed whether any payment was made.
The breach led to the exposure of personal customer data, including names, addresses, and purchase histories, though no payment or password data was compromised. The attack caused significant operational disruption and financial loss, with M&S’s market valuation dropping by nearly £700 million in the aftermath.
Conclusion:
The Marks & Spencer cyberattack serves as a stark reminder of the vulnerabilities that even major retailers face in today’s digital age. The financial and operational impact of the attack is significant, but M&S’s proactive response and recovery efforts demonstrate its commitment to safeguarding its operations and customer data. As the company accelerates its technology improvement plan and invests in cybersecurity, it aims to emerge stronger and more resilient against future threats. Please see our other blog to get a deeper understanding of why cybersecurity is so important.