M&S Cyberattack: What Happened and Why?

7/17/2025 12:00:00 AM

M&S Cyberattack: What Happened and Why?

In late April 2025, Marks & Spencer suffered a cyberattack which disrupted both its online operations and in-store services. Customers were unable to purchase from the M&S website, while some shelves were left bare in M&S stores across the UK. The company’s market capitalisation dropped by £1 billion,[1] and customer data was allegedly stolen by the cybercriminals.

But what kind of cyberattack was it, and why did it happen?

What happened during the M&S cyberattack

M&S chief executive, Stuart Machin, said his team had first spotted "suspicious activity" over the Easter weekend.[2] M&S had been targeted in a cyberattack that had scrambled the company's servers, forcing the team to take down its online system in order to protect the store and customers. It is expected that the online ordering system will not be back to normal until July.

The cyberattack was revealed to be a ransomware attack. This is a type of attack which prevents you from accessing your data, usually by encrypting your files, and then cybercriminals will demand a ransom in exchange for decrypting them.

 

Impact on M&S operations

Problems were noticed by customers when they found themselves unable to use Click & Collect or contactless payments in-store. Customers were also unable to order items from the M&S website, and stock availability in-store was also disrupted.

M&S estimates that the cyberattack will impact 2025’s profits by roughly £300m.[3]/p>

 

Customer data and security

M&S confirmed that the following customer data could have been stolen from its systems:

  • Name
  • Date of birth
  • Telephone number
  • Home address
  • Email address
  • Online order history [4]

However, any card payment data that was compromised would be unusable, as M&S does not hold full card payment details on its systems.

While M&S has said customers do not need to take any action, the company stated that users will be prompted to reset their password for their online account. They also issued a reminder that M&S will never contact customers to ask for personal account information like usernames or passwords.

Lisa Barber,[5] tech editor at consumer group Which?, advised that customers should change their passwords as soon as possible, and that customers should use different passwords for different websites. Read our guide on how to create strong passwords.

 

Who carried out the cyberattack?

Detectives have been looking into a hacking group named Scattered Spider,[6] believed to be made up of English-speaking teens and young adults from the UK and USA. They used an affiliate cybercrime service named DragonForce to carry out the ransomware attack, targeting a third party who works with M&S - the Indian IT giant Tata Consultancy Services.

The hackers used social engineering to gain access to the systems, which means that they trick an employee into giving out passwords or login access, usually by posing as someone trustworthy.

 

What are the broader implications of the cyberattack?

M&S’s loss in profits - about 30% of their yearly estimate[7] - shows the damage a ransomware attack can do to a company. The fact that it impacted not only their online business, but payments and stock in-store, also demonstrates how far the damage can stretch. Thankfully, as the company had cyber insurance in place, some of the damage will be mitigated. M&S have also stated that they will be cutting costs to recoup their losses, which indicates they had a plan in place in the event that a cyberattack occurred.

Businesses should stay aware of the danger of social engineering when it comes to hackers. Whether your online systems are managed in-house or by a third party, employees should be aware of the tricks and scams that hackers attempt to pull, such as phishing emails.

 

Why it's important to take out cyber insurance as part of your cyber protection strategy

As mentioned, M&S luckily had cyber insurance in place, which will help them to alleviate the damage to their profits caused by the hackers. Along with a cyber protection strategy, this should hopefully see them resume normal operations and recoup their losses.

Cyber insurance can help your business get back on track if you’re targeted by cybercriminals. To find out more, speak to your usual Towergate adviser.

 

Sources

[1] techradar.com/pro/security/m-and-s-hack-may-have-been-caused-by-security-issues-at-indian-it-giant-tata-consultancy-services

[2] bbc.co.uk/news/articles/c93llkg4n51o

[3] bbc.co.uk/news/articles/c0el31nqnpvo

[4] bbc.co.uk/news/articles/c62v34zv828o

[5] bbc.co.uk/news/articles/c62v34zv828o

[6] dailysecurityreview.com/security-spotlight/marks-spencer-cyberattack-tied-to-scattered-spider-ransomware-group

[7] bbc.co.uk/news/articles/c0el31nqnpvo

 

Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems, we recommend that professional advice be sought.