In a significant cyberattack that has disrupted operations at Marks & Spencer (M&S), the notorious hacking group known as Scattered Spider has been implicated. This group, which is primarily composed of teenagers and young adults based in the UK and the US, has a history of targeting high-profile companies and demanding hefty ransoms. Reports indicate that the ransomware attack, which began affecting M&S's systems on April 21, may demand as much as £10 million to restore access to the retailer's compromised IT infrastructure.
According to technology outlet BleepingComputer, the cyber incident has caused widespread disruption across M&S's 1,049 stores throughout the UK. The attack initially impacted the retailer's contactless payment systems and click-and-collect order processing, forcing M&S to temporarily suspend online orders through its website and mobile applications starting April 25, 2025. The company has stated that it is working diligently to restore online and app shopping, although it has not provided a specific timeline for resolving the issues.
In response to the attack, M&S has enlisted the help of cybersecurity firms including CrowdStrike, Microsoft, and Fenix24 to investigate the breach and mitigate further damage. The hackers are believed to have infiltrated the company’s IT network as early as February 2025, stealing critical data, including password files. Reports suggest that attackers accessed the NTDS.dit file, a vital component of the Windows domain that contains password hashes, enabling unauthorized access to the network.
Scattered Spider is notorious for its advanced social engineering techniques, which include phishing and multi-factor authentication fatigue attacks. The group has evolved from its initial focus on financial fraud and social media hacks to executing more complex extortion schemes targeting corporations. In a notable incident in September 2023, Scattered Spider successfully breached MGM Resorts through social engineering tactics.
Tyler Robert Buchanan, a 23-year-old Briton, has been identified as the alleged leader of Scattered Spider. He was arrested at a Spanish airport last June and is believed to have orchestrated the hacking of Caesars Entertainment and MGM Resorts International. Along with four American men, all under 25, Buchanan was charged earlier this month. The group's members, primarily English-speaking young men, coordinate their activities via hacker forums and messaging platforms like Telegram and Discord.
Despite law enforcement efforts to dismantle Scattered Spider, including several arrests in the US, UK, and Spain, the group's decentralized structure poses challenges in tracking and apprehending its members. Cybersecurity experts have noted that while the group is linked to a darker online community known as The Com, which engages in depraved activities for online prestige, Scattered Spider appears to be more motivated by financial gain.
Aiden Sinnott, a senior threat researcher with cybersecurity company Sophos, describes Scattered Spider as a “nihilistic” part of a broader online subculture that engages in troubling activities. He explains that the group operates without a traditional hierarchy, making it difficult to pinpoint who is behind its actions. The group's activities have not only caused significant disruptions for M&S but have also resulted in a decline in the retailer's stock value, with shares dropping nearly 7% since news of the breach emerged.
The impact of the cyberattack has been felt across M&S's operations, with reports of empty shelves in some stores, as the company struggles to manage the fallout from the incident. M&S has advised its logistics staff to stay at home, further complicating the retailer's recovery efforts. The company has not commented on the specifics of the attack or when it expects to resume normal operations.
The incident has raised concerns about the vulnerability of major retailers to cybercrime, particularly as hackers increasingly target corporations for extortion. Industry experts stress the importance of robust cybersecurity measures to protect sensitive data and maintain operational continuity in the face of such threats. As M&S navigates this challenging situation, the broader implications of the attack on the retail sector will likely continue to unfold.
In conclusion, the ongoing investigation into the cyberattack on Marks & Spencer underscores the persistent threat posed by sophisticated hacking groups like Scattered Spider. As companies increasingly rely on digital infrastructure, the need for comprehensive cybersecurity strategies has never been more critical.
