Marks & Spencer (M&S), one of the UK's retail giants, has been grappling with the fallout of a devastating cyber attack that has shaken its operations and exposed sensitive customer data. The ransomware group DragonForce, responsible for the breach, sent a brazen and abusive email directly to M&S CEO Stuart Machin on April 23, 2025, taunting the company and demanding ransom payment. This email, sent from an employee's account, confirmed for the first time the involvement of DragonForce in the attack, which has cost M&S an estimated £300 million and severely disrupted its business.
The hackers' message, written in broken English and laced with racial slurs, declared, "We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers." They directed Machin to their darknet website, where negotiations for ransom could begin. The email was not only sent to Machin but also to seven other senior executives, amplifying the intimidation.
DragonForce claimed to have installed ransomware across M&S's IT infrastructure, rendering systems inoperable, and boasted about stealing private data belonging to millions of customers. Personal information such as names, email and postal addresses, and dates of birth were reportedly compromised. Nearly three weeks after the initial breach, M&S informed customers of the potential data theft, though the company has remained tight-lipped about whether it has paid any ransom.
Complicating the breach was the involvement of Tata Consultancy Services (TCS), an Indian IT giant that has provided IT services to M&S for over ten years. The extortion email appears to have been sent from the account of a TCS employee based in London, who holds an M&S email address but is a TCS contractor. It seems this individual was himself a victim of the hack. While TCS is investigating whether it served as the gateway for the attack, the company insists the threatening email was not sent from its systems and denies involvement in the breach.
The impact on M&S has been profound. Since the Easter weekend, the retailer has been unable to process online orders, with disruption expected to last until at least July 2025. Physical stores have experienced empty shelves, and the company faces ongoing operational challenges. The chairman of M&S, Archie Norman, acknowledged the severity in the company’s annual report, stating the consequences of the hack are likely to "endure for some weeks, or even months." Yet he expressed confidence that the incident would eventually be seen as "a bump in the road along the path to growth."
Meanwhile, CEO Stuart Machin, who has helmed the company since 2022, recently saw his pay package surge by 39% to £7.1 million for the year ending March 2025. This increase was driven by performance-linked bonuses tied to the company’s strong trading results prior to the cyber attack. Machin’s remuneration includes £4.6 million in long-term performance-based bonuses, £1.6 million in annual bonuses, and approximately £894,000 in fixed pay and pension benefits. The remuneration committee did not factor in the cyber attack when deciding this package, as the breach occurred after the fiscal year ended, but it will be considered in future pay assessments.
Despite the turmoil, M&S has continued to invest in its workforce, making its largest ever investment in store colleague pay and awarding bonuses to over 5,000 employees, including store managers. The company also increased dividends to shareholders, reflecting confidence in its long-term prospects.
The cyber attack on M&S is not an isolated incident. DragonForce has also claimed responsibility for a similar ransomware attack on the Co-op supermarket chain, which began around the same time in late April 2025. The Co-op suffered extensive disruption, with empty shelves and operational challenges lasting weeks. Both attacks have been linked to a broader wave of cyber crime targeting UK retailers.
DragonForce operates a darknet platform offering ransomware services to affiliates worldwide, taking a 20% cut of any ransom payments. While some researchers speculate the group may be based in Malaysia or Russia, their email to M&S implied Chinese origins. Intriguingly, cybersecurity experts have suggested that a loosely connected collective known as Scattered Spider—comprised of young hackers from the US and UK—might be behind the affiliate attacks on M&S, Co-op, and even Harrods. The UK’s National Crime Agency has confirmed that Scattered Spider is a key focus of their investigations.
Attempts to directly engage with the hackers have been met with evasiveness. When BBC reporters contacted the Co-op hackers, they declined to confirm any affiliation with Scattered Spider. Two of the hackers, adopting the pseudonyms "Raymond Reddington" and "Dembe Zuma"—names borrowed from the US crime thriller The Blacklist—boasted, "We're putting UK retailers on the Blacklist." This chilling message underscores the boldness and brazenness of these cyber criminals.
While smaller cyber attacks on UK retailers have continued, none have matched the scale or impact of the assaults on M&S, Co-op, and Harrods. The ongoing investigations by the UK’s national cyber-crime unit aim to unravel these complex networks and bring perpetrators to justice, but the challenge remains immense given the global and decentralized nature of these hacker communities.
For M&S, the road to recovery is still long. The company is working to restore its online services and rebuild customer trust amid the lingering effects of the attack. As Machin navigates these turbulent waters, balancing operational recovery with leadership responsibilities, the retail giant’s experience serves as a stark reminder of the vulnerabilities facing even the most established institutions in today’s digital age.
