Learning from 2025: Inside the M&S Cyber Crisis

CyberDefender 6 mins0

In April 2025, M&S confirmed it was the victim of a major cyberattack that disrupted business operations, especially online sales.

Marks & Spencer (M&S) is one of the UK’s largest retailers, operating:

  • ~1,000 UK stores
  • A complex omnichannel model (stores, online, click & collect)
  • Highly integrated warehouse, logistics, payments, and customer data systems

That integration—normally a strength—became a single point of failure during the attack.

Timeline — What Actually Happened

Initial Breach (March–April 2025)

Attackers gained legitimate access credentials rather than exploiting software bugs. This was crucial.

Investigators believe the entry point involved:

  • Social engineering (impersonating staff or IT support)
  • Compromised help-desk / service-desk access
  • Possible third-party credentials tied to IT operations

Once inside, attackers moved laterally across M&S systems.

Stealth Phase — “Living off the Land”

Instead of immediately deploying ransomware, attackers:

  • Mapped internal networks
  • Identified Active Directory privileges
  • Located high-value systems (order management, logistics, customer data)
  • Copied data externally (data exfiltration)

This phase likely lasted weeks, which is why the impact was so widespread .

Detonation Phase (Late April 2025)

When M&S detected unusual activity, it:

  • Shut down affected systems proactively
  • Took online ordering offline
  • Disabled Click & Collect
  • Isolated warehouses and supply chain IT

This wasn’t just an outage — it was a controlled shutdown to stop ransomware spreading.

Who Was Behind It?

Scattered Spider

Security firms and law enforcement linked the attack to Scattered Spider, a loose but highly capable cybercriminal collective known for:

  • Social-engineering attacks
  • Targeting retail, hospitality, and aviation
  • Exploiting help desks rather than malware flaws

They have been linked to multiple high-profile UK and US retail breaches .

Why the Impact Was So Severe

1. Retail Systems Are Deeply Interconnected

In modern retail:

  • Online orders connect to warehouses
  • Warehouses connect to store stock systems
  • Customer accounts connect to logistics and marketing

When M&S isolated systems, everything downstream broke.

2. Manual Processes Aren’t Scalable

M&S attempted workarounds:

  • Paper-based stock management
  • Local store fixes
  • Limited in-store ordering

These worked temporarily but couldn’t handle national-scale demand.

3. Data Safety > Speed

M&S prioritized:

  • Preventing ransomware encryption
  • Protecting payment systems
  • Preserving evidence for regulators and insurers

This meant longer downtime, but avoided a worse outcome.

Customer Data — What Was Exposed?

M&S confirmed attackers accessed:

  • Names
  • Contact details
  • Order history

They did NOT access:

  • Payment card numbers
  • Passwords (hashed & salted)
  • Bank details

Customers were still asked to reset passwords as a precaution .

Financial & Business Impact

Financial Damage

  • First-half profits were heavily reduced
  • Lost online sales for weeks
  • Incident response, forensics, legal, and recovery costs

Total impact was estimated in the hundreds of millions of pounds .

Operational Disruption

  • Warehouses reverted to manual picking
  • Delays in clothing and food distribution
  • Competitive advantage shifted temporarily to rivals

Third-Party & Supply Chain Fallout

IT Services Scrutiny

M&S reviewed third-party access policies and later ended parts of its relationship with Tata Consultancy Services, which had provided IT support functions (timing and causality disputed) .

The incident became a case study in supply-chain cyber risk.

How M&S Recovered

Technical Recovery

  • Full rebuild of core systems
  • Credential resets across the organisation
  • Enhanced identity verification for help desks
  • Zero-trust access controls

Service Restoration

  • Online ordering restored by mid-June 2025
  • Click & Collect returned later in summer
  • Gradual return to normal logistics operations

Why This Attack Matters

This incident:

  • Changed how UK retailers view social-engineering risk
  • Highlighted the danger of trusted access abuse
  • Accelerated investment in identity security over perimeter security
  • Influenced regulators discussing stricter cyber-resilience rules

Key Takeaways

  • This was not a simple hack — it was a long-planned intrusion
  • Humans (credentials, trust, access) were the weakest link
  • Shutting systems down saved M&S from a worse ransomware outcome
  • Retail cybersecurity is now treated as national-scale infrastructure risk

CyberDefender