Marks & Spencer Cyberattack: What Happened and How to Stay Safe

In late April 2025, British retail giant Marks & Spencer (M&S) fell victim to a significant cyberattack that upended its business for weeks. The incident – attributed to a hacking group called Scattered Spider – forced M&S to shut down key services and left customers and staff facing widespread disruptions. In this blog post, we’ll break down what happened, who was behind it, how it affected shoppers, and how the hackers got in. We’ll also look at how M&S responded and share some practical tips to help individuals and businesses avoid similar attacks. Our goal is to explain the complex event in clear, simple terms for everyone to understand.

What Happened: Timeline of the Attack

M&S experienced a cascading series of issues as the cyberattack unfolded. Here’s a brief timeline of key events:

• April 21, 2025 (Easter Monday): Customers began reporting trouble making contactless payments and using the “click-and-collect” online ordering service at M&S. Later that day, the company confirmed it was dealing with a “cyber incident”. This was the first public sign that something was wrong.

• April 25, 2025: M&S took the drastic step of suspending all new online orders for its website and app. The retailer also pulled around 200 job listings offline. In physical stores, signs went up warning shoppers of limited product availability, and M&S could not process gift cards or handle product returns in its food halls. These measures showed the company was shutting down some systems to contain the attack.

• April 28, 2025: Shoppers noticed some empty shelves and shortages of certain popular items in M&S stores. The disruptions behind the scenes were affecting store inventories. About 200 agency workers at M&S’s main distribution warehouse in Castle Donington were even told to stay home as the company grappled with the cyber incident.

• April 30, 2025: London’s Metropolitan Police Cyber Crime Unit announced it was investigating the attack. M&S remained tight-lipped publicly, but bringing in the police underscored the seriousness of the situation.

• Early May 2025: Nearly a week later, many services were still not back to normal. M&S’s website was partially up so customers could browse products, but online shopping remained unavailable and some in-store systems (like gift card payments) still weren’t working. The company did not give a specific timeline for full recovery, indicating they were still working “day and night” to resolve the issue.

Notably, M&S wasn’t the only UK retailer targeted around that time. Upmarket department store Harrods and the Co-op supermarket also reported cyberattacks in the same week, though details of those incidents were less clear. However, the M&S breach was one of the most disruptive, drawing national attention.

Impact on M&S Operations and Customers

For shoppers and employees, the cyberattack’s impact was impossible to miss. M&S had to curtail many of its normal services, which led to inconvenience and concern:

• Payment and Ordering Problems: The most immediate effect was on payments – customers in stores couldn’t use contactless cards or mobile pay, and had to resort to chip-and-PIN or cash. Online shoppers found they couldn’t place orders at all, as the website’s checkout and click-and-collect services were shut down. This meant anyone trying to buy clothes or food from M&S online was out of luck for the duration of the outage.

• Product Shortages: Because M&S temporarily took some systems offline as a safety measure, there were knock-on effects on stock management. Many stores experienced “pockets of limited availability” – essentially, some shelves went empty when the usual restocking and supply chain systems were disrupted. Shoppers around the country reported seeing certain popular items out of stock, an unusual sight for the well-stocked retailer.

• In-Store Service Disruptions: Even in physical M&S stores, some services stopped working. For example, M&S could not accept its own gift cards or process returns in the food halls during the incident. Additionally, there were reports that loyalty card scanners and other digital tools used by staff were down as well. Employees had to revert to manual processes in some cases, and customers had to hold onto gift cards or return items at a later date.

• Customer Frustration and Safety Concerns: Understandably, these problems caused frustration. Shoppers expecting quick checkouts or the convenience of online orders had to change plans. M&S’s reputation took a hit as news of the attack spread. The company’s stock price even fell sharply – more than £700 million was wiped off M&S’s market value within days of the incident becoming public. Despite the financial jolt, M&S emphasised that protecting customer data and restoring service were the top priorities. (As of now, M&S has not announced that any customer financial data was stolen in this attack, but investigations are ongoing. Authorities advised customers to keep an eye on their bank statements and update passwords as a precaution.)

In short, the cyberattack didn’t just hit M&S’s computers in some back office – it was felt by everyday shoppers who couldn’t use normal services, and it even affected the products on store shelves. It was a stark reminder of how deeply modern retailers rely on technology for every aspect of their operations.

Who Was Behind the Attack?

Cybersecurity experts quickly linked the M&S incident to a hacking collective known as Scattered Spider. While the name might sound whimsical, this group is regarded as one of the most aggressive and dangerous hacking outfits active today. Uniquely, Scattered Spider is not a single organised gang in one location – it’s best described as a loose network of hackers who frequently collaborate. Here’s what we know about them:

• A Group of Young Hackers: Perhaps surprisingly, many members of Scattered Spider are teenagers or young adults. Investigations have found the group is made up of mostly young, English-speaking individuals, some as young as 16 years old. They often operate from the UK, US, and other English-speaking countries, communicating over hacker forums and chat platforms. This is quite different from the stereotype of foreign-state hackers; in fact, it appears these are tech-savvy youths who band together online.

• Tactics Focused on Tricking People: Scattered Spider’s hallmark is exploiting the human element of security rather than just technical vulnerabilities. They use clever deception – known as social engineering – to fool people inside companies into giving them access. According to reports, this group employs tricks like phishing emails (fake messages that steal your login details), SIM swapping (hijacking your mobile phone number), and “MFA fatigue” attacks (sending a flurry of login approval requests to your phone hoping you’ll accidentally approve one). In other words, they often talk or trick their way past security, by impersonating trusted individuals or overwhelming users with prompts, instead of hacking in by brute force.

• A Track Record of Big-Name Targets: Despite their youth, Scattered Spider members have been linked to more than 100 cyberattacks since 2022 across industries like telecom, finance, retail, and gaming. One of their most infamous exploits was against the casino industry. In 2023, members of the group breached the networks of Las Vegas giants MGM Resorts and Caesars Entertainment – in MGM’s case, reportedly by impersonating an employee on a help desk call. The damage was so severe that Caesars ended up paying roughly $15 million in ransom to get their systems back. This track record shows that Scattered Spider isn’t just focusing on one sector; they go after any large organisation that might pay a ransom.

• Law Enforcement on Their Trail: Given their activities, law enforcement agencies in multiple countries are trying to crack down on Scattered Spider. There have been several arrests of individuals allegedly connected to the group in the US, UK, and even Spain over the past two years. In fact, just last month a suspected member was extradited from Spain to the US to face charges. However, because the group is decentralised (or “scattered” as the name suggests), arresting a few members hasn’t stopped the attacks entirely. New recruits or other collaborators often continue the hacking campaigns, and the group adapts quickly. It’s a bit of a cat-and-mouse game for investigators.

In the case of the M&S attack, all signs pointed to Scattered Spider’s involvement. Cybersecurity observers noted the tactics used matched this group’s style, and even the specific malware deployed has been tied to Scattered Spider affiliates. For a company like M&S, it’s chilling to realise the adversary wasn’t a lone hacker in a basement, but a network of savvy individuals skilled at both tech and trickery.

How Did the Attackers Gain Access?

You might be wondering: how did these hackers actually break into M&S’s systems in the first place? The answer is a textbook example of social engineering. According to multiple reports, the attackers got in by posing as M&S employees and fooling the company’s IT help desk. They impersonated employees, requested password resets, and gained access to internal systems.

Once inside, they stole sensitive authentication data, including password databases, and eventually deployed ransomware that encrypted M&S’s systems. This malware, believed to be a strain called “DragonForce”, paralysed M&S operations, forcing the company to shut down services as a containment measure.

Marks & Spencer’s Response and Recovery

M&S acted swiftly to contain the threat. It took systems offline, enlisted the help of cybersecurity firms, and began working with the UK’s National Cyber Security Centre and law enforcement. While some services remained unavailable for weeks, M&S communicated transparently with customers, reassuring them that personal data had not been compromised and promising full recovery.

How to Protect Yourself and Your Business

For Individuals:

• Use strong, unique passwords and change them regularly.

• Enable multi-factor authentication wherever possible.

• Be cautious of phishing emails or suspicious phone calls.

• Monitor bank statements and account activity for signs of fraud.

For Businesses:

• Train staff on phishing and social engineering awareness.

• Require verification before password resets or access changes.

• Implement strong access controls and monitor for unusual activity.

• Back up data regularly and have an incident response plan in place.

Conclusion

The M&S cyberattack is a stark reminder that no organisation is immune to cyber threats. But with the right precautions – and by staying alert – individuals and businesses can reduce their risk and respond effectively when incidents occur. In today’s digital world, cyber vigilance is everyone’s responsibility.

Subscribe to the Blog

Share this Post