Marks & Spencer (M&S) is grappling with the fallout from a significant cyber attack that has disrupted its operations and led to a staggering loss of market value. Reports indicate that the notorious hacking group known as Scattered Spider is behind this incident, which has forced the retailer to suspend its online shopping services for over a week.
The cyber attack first came to light on April 22, 2025, when M&S experienced severe disruptions to its contactless payment and click-and-collect services. This prompted the company to halt online sales entirely on April 25, leaving customers unable to shop online and resulting in empty shelves across some of its physical stores. As of now, M&S's core e-commerce infrastructure remains offline, although its website is accessible for browsing.
According to reports from Bleeping Computer, Scattered Spider allegedly breached M&S's systems back in February 2025. The hackers reportedly stole an NTDS.dit file, which is an Active Directory Services database file containing password hashes for M&S Windows accounts. This breach allowed the group to infiltrate the retailer's Windows domain and deploy a ransomware variant known as DragonForce on VMware ESXi hosts.
As a result of this attack, M&S has seen more than £700 million wiped off its stock market valuation, with ongoing losses mounting as the company struggles to regain normalcy in its operations. Despite the chaos, M&S has reassured customers that there is no immediate action required on their part, although the situation remains fluid.
Scattered Spider, which has been linked to other high-profile cyber incidents, is characterized by its loose structure and the age of its members, many of whom are teenagers. The group has gained notoriety for targeting large companies and their IT help desks, employing various tactics, including social engineering attacks, to gain access to sensitive information. Experts indicate that the group initially engaged in financial fraud before transitioning to data theft and extortion.
In 2023, Scattered Spider reportedly breached multiple organizations using social engineering attacks. Their previous targets include major corporations like MGM Resorts International and Caesars Entertainment, where they successfully deployed ransomware and extorted millions in ransom payments. In the case of MGM, the attack led to losses estimated at around $100 million, while Caesars was forced to pay $15 million to regain access to its systems.
Cybersecurity expert Professor Alan Woodward noted that the attack on M&S likely involved exploiting vulnerabilities in Active Directory, a Microsoft product that allows users to log in and access various systems. "There's a suggestion that they managed to get in and get one of the files out of there, which contains passwords," he explained. "They probably wouldn't have been able to get the passwords out of the file, but if they could get in that far, then they could probably do something to mess up the network." This insight underscores the sophistication of the attack and the potential for widespread disruption.
As M&S continues to deal with the ramifications of the cyber attack, the impact on its operations is palpable. The retailer has instructed agency warehouse staff to stay home rather than report to work at its clothing and homeware depot, further complicating its recovery efforts. The uncertainty surrounding the situation has left many wondering how long it will take for M&S to restore its services fully.
Industry insiders have expressed concern over the growing threat posed by Anglophone cybercriminals like Scattered Spider, who, despite lacking the structured organization of traditional Russian ransomware gangs, compensate with their aggression and bold tactics. Robert McArdle, director of forward threat research at Trend Micro, pointed out that Scattered Spider resembles hacktivist groups like Anonymous, as they assemble for individual attacks without a centralized command structure. This makes them particularly challenging to track and apprehend.
While M&S has sought assistance from cybersecurity firms such as Microsoft, CrowdStrike, and Fenix24 to investigate and respond to the attack, the immediate future remains uncertain. The retailer's decision to suspend online sales, which account for an average of £3.8 million a day, reflects the severity of the situation and the need to prioritize the security of its systems.
As the investigation unfolds, the potential for a ransom demand looms large. Criminal gangs typically demand ransoms ranging from several million to tens of millions of pounds to restore access to compromised systems. Although it remains unclear whether M&S has been formally held to ransom, sources suggest that a demand could be around £10 million.
In the wake of this incident, M&S is not alone in facing the threats posed by cybercriminals. All major UK retailers are now on high alert, as the implications of such attacks can be devastating, both financially and reputationally. The ongoing disruption to M&S's operations serves as a stark reminder of the vulnerabilities that exist in today's digital landscape.
As shoppers continue to navigate the challenges posed by the cyber attack, the resilience of M&S will be put to the test. The company has enjoyed a surge in customers, particularly in its food halls, prior to the attack. Unpublished figures from analysts at Kantar indicate that M&S outsold every other supermarket on food sales in the four weeks leading up to April 20, 2025. However, the recent turmoil raises questions about whether this momentum can be sustained in the face of such a significant setback.
In conclusion, the situation at Marks & Spencer highlights the growing threat of cyber attacks in the retail sector. As the company works to recover from the disruptions caused by Scattered Spider, the broader implications for the industry and the measures needed to bolster cybersecurity will undoubtedly come under scrutiny.
