Marks and Spencer Cyber Crisis Continues
Cyberscope: Security Insights
What happened?
In the early hours of Easter Saturday, 19 April 2025, unusual activity rippled across M&S payment and fulfilment systems. Click-and-Collect terminals froze, contact-less payments timed out and stock-control dashboards lit up with error messages. By dawn, investigators realised they were dealing with a ransomware incursion—later tied to the Scattered Spider / DragonForce affiliate crew—seeded weeks earlier through a compromised third-party vendor. Three working days later M&S took the drastic step of pausing all online orders, isolating large chunks of its infrastructure and calling in the NCSC and law-enforcement specialists.(BBC)(Reuters)
Timeline at a glance
| Date | Key developments |
|---|---|
| 19 Apr 2025 (Sat) | Card-payment glitches and Click-&-Collect failures surface; NCSC alerted |
| 22 Apr | Forensic teams confirm ransomware, start removing infected hosts |
| 25 Apr (Fri) | M&S suspends online orders across website & apps; job-application portal taken offlineBBC |
| 11 May | “DragonForce” claims responsibility in messages to media, threatens data leak |
| 13 May | M&S admits customer data was stolen; share price already -15 % since EasterReutersThe Times |
| 14 May | Google warns that the same crew is pivoting to U.S. retail targetsReuters |
| 19 May | A month on: online shopping still dark; analysts tally £60 m+ lost profit and >£1 bn market-cap hitReuters |
Impact on customers, suppliers & operations
-
Digital blackout: One-third of clothing & home revenue normally flows through e-commerce. Daily takings of roughly £3.8 m vanished overnight, diverting shoppers to rivals.BBC
-
In-store ripple: Some food halls ran short of meal-deal items as replenishment systems stayed offline; suppliers reverted to pen-and-paper ordering to keep shelves stocked.BBC
-
Customer trust: Stolen contact details and order histories forced mass password resets and triggered phishing fears among millions of loyalty-card holders.Reuters
-
Market reaction: The share-price slide—about 14 %—wiped £1.15 bn from M&S’s valuation and shaved more than £1 m from CEO Stuart Machin’s incentive pay.The Times
The price tag
Deutsche Bank now pegs lost profit at ≈ £15 m per week, pushing the running bill past £60 million—well above the retailer’s cyber-insurance cap. With summer ranges stuck in limbo, every extra day offline deepens the dent.Reuters
Why it matters beyond M&S
-
Sector contagion: Google’s threat intel shows the attackers have already re-tooled for U.S. retailers, compressing disclosure-to-exploit time from weeks to days.Reuters
-
Third-party risk: Entry via an external provider mirrors tactics seen in other UK retail hacks, underlining how supply-chain trust is now the soft underbelly.
-
Board-level wake-up call: With brand damage persisting long after ransom negotiations end, cyber-resilience has become a material line item for investors and regulators alike.
Bottom line
Ransomware is no longer a “tech problem”; it is an operating-model hazard that can vaporise digital revenue streams for months and erase hard-won brand equity in days. Treat preparedness as a duty of care—or accept a place on the next breach headline.
Building Real-World Cyber-Resilience: Six Non-Negotiables
-
Segment like lives depend on it. Ring-fence e-commerce, PoS and supplier portals; inspect east-west traffic continuously.
-
Harden identity & email first. Universal MFA, conditional access, attachment sandboxing and strict DMARC are table stakes.
-
Kill silent dwell-time. Deploy EDR plus 24 × 7 threat-hunting to spot living-off-the-land tooling before it pivots.
-
Make backups immutable—and test them. Store gold-copy images offline; rehearse bare-metal recovery quarterly.
-
Stress-test the business, not just the servers. Table-top scenarios must cover refund workflows, supply-chain work-arounds and media messaging.
-
Track third-party exposure in real time. Continuous attack-surface management and contractual right-to-audit clauses reduce supplier blind-spots revealed in the M&S breach.