Marks and Spencer (M&S), one of the UK's largest retailers, is facing a significant crisis following a cyber attack that has disrupted its operations for over a week. The attack, believed to be linked to a notorious hacking group known as Scattered Spider, has resulted in millions of pounds in losses and left many customers frustrated with empty shelves in stores.
The chaos began on April 22, 2025, when M&S first revealed that its online ordering systems had been compromised, which led to a drastic drop in its share price from 411p to 383p. In the wake of the attack, M&S announced on April 25 that it would pause all orders through its website and app, a move that has left customers unable to make purchases online for several days. The company has stated that they are working hard to restore services, but as of April 29, there is still no clear timeline for when online ordering will resume.
According to security experts, the ransomware used in the attack is believed to be from a group called DragonForce. This group is known for allowing other hackers to utilize their malicious software for a cut of the ransom. The attack has not only disrupted M&S’s online operations but has also impacted its in-store inventory, with reports of limited food availability in some locations. This disruption comes at a time when M&S had been performing well, with grocery spending increasing by 14.4% year-on-year as of April 20, 2025.
Cybersecurity expert Professor Alan Woodward from Surrey University explained that the complexity of M&S's systems makes recovery from such attacks a lengthy process. "Everything from knowing what has been sold, hence what needs replenishing, to taking card payments is very dependent on complex systems… it will take significant time and expertise to analyze and ensure they have expelled the hacker," he said. Lisa Forte, a partner at the cybersecurity firm Red Goat, echoed this sentiment, stating that expecting a quick recovery is unrealistic.
Dan Card, a cyber expert at BCS, described the ransomware incident as akin to a "digital bomb" going off, emphasizing the technical and logistical challenges involved in recovering from such an event. The longer a cyber incident persists, the more likely it is to be ransomware, which typically locks users out of their systems and demands a fee for restoration. M&S has not disclosed any ransom demands nor commented on the specifics of the attack.
Investigators have pointed fingers at Scattered Spider, a group of teenage hackers believed to be responsible for several high-profile attacks, including one on MGM Resorts in 2023. This group is notorious for its aggressive tactics and has been linked to various cyber incidents involving significant financial losses. Rik Ferguson, a special advisor to Europol's European Cyber Crime Centre, noted that while M&S has stated that no action is required from customers, it is advisable for those who may have reused their M&S account credentials on other services to change their passwords.
As M&S grapples with the fallout from the attack, the company has temporarily sent around 200 agency staff at its main online distribution center in Leicestershire home, further complicating its recovery efforts. The impact of the cyber attack has already resulted in a loss of approximately £700 million in market value, and the uncertainty surrounding the situation has left investors anxious.
Jane Foley, head of FX strategy at Rabobank, highlighted the urgency for M&S to communicate positive news to investors to stabilize their confidence. "Some investors are thinking enough is enough. About £700m has been wiped off the value Marks and Spencer on the stock market... they really do need to come through with some positive news fast to stop investors getting too nervous," she said.
As customers express their frustrations over the ongoing disruption, M&S has acknowledged the issues and promised to keep customers informed. In a recent statement, the company said, "As part of our proactive management of the incident, we have made the decision to pause taking orders via our UK & Ireland websites and apps and some M&S International operated websites." They also reassured customers that their stores remain open and that they are committed to restoring online operations as soon as possible.
Despite the challenges, there are signs of resilience as M&S shares saw a slight increase recently, marking the first rise since the cyber attack began. However, the company remains under pressure as it tries to navigate the complexities of restoring its systems while managing customer expectations and maintaining its market position.
In the wake of the attack, some stores have displayed signs indicating limited availability, with reports of empty shelves and reduced stock levels. Customers have taken to social media to voice their frustrations, with some claiming to have driven long distances only to find stores lacking essential items.
M&S's ongoing struggle to recover from the cyber attack serves as a stark reminder of the vulnerabilities faced by major retailers in an increasingly digital world. As the situation continues to unfold, both the company and its customers are left to navigate the uncertainty and challenges posed by this significant cyber incident.
