Incident Timeline & Operational Impact
- In April 2025, over the Easter weekend, M&S suffered a severe ransomware cyber-attack, which originated via social engineering directed at its IT helpdesk, allegedly involving impersonation and credential resets. This gave attackers access to critical systems through a third-party service provider. The breach halted contactless payments, online orders, and click-and-collect services from 25 April.
- Online home delivery began to partially resume on 10 June, while full click-and-collect services were only restored in August, approximately 15 weeks after the attack. Throughout, operations remained substantially disrupted, resulting in product shortages and continued service delays.
Data Exposure & Customer Impact
- M&S confirmed that personal customer data was stolen, including names, email addresses, postal addresses, phone numbers, dates of birth, household information, Sparks Pay references, and online order histories. Importantly, no usable payment card details or account passwords were compromised.
- There is currently no evidence that the stolen data has been shared publicly, though concerns remain due to the volume and sensitivity of the information. The compromised data can still facilitate phishing, identity fraud, and social engineering.
Attribution & Financial Consequences
- The attack has been linked to the DragonForce ransomware group, possibly affiliated with Scattered Spider, known for targeting major UK services. Four suspects were later arrested by the National Crime Agency (NCA).
- M&S has estimated the financial impact of the incident at £300 million in lost operating profit for the 2025/26 financial year, partially offset by cyber-insurance—including coverage from Allianz and Beazley plc. Additionally, the company’s market value dropped by over £1 billion following the breach.
- In response, M&S is accelerating its digital transformation, reviewing third-party security governance, and investing in infrastructure resilience.
Customer Guidance & Remedial Actions
- M&S customers have been encouraged to reset their account passwords as a precaution, even though credentials were not breached.
- Security advisors have warned that leaked personal data may be used to facilitate scams and phishing. M&S has not recommended immediate action but advises vigilance for suspicious communication.
- The incident led government bodies—the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC)—to emphasise stricter security standards and incident preparedness for retailers and their third-party vendors.
| Category | Details |
|---|---|
| Attack Period | Easter weekend, April 2025 |
| Interruption Length | Services down from 25 April; full click-and-collect restored mid-August |
| Data Exposed | Names, contact details, DOBs, order histories; no passwords or card data |
| Attribution | DragonForce / Scattered Spider; NCA made arrests |
| Financial Loss | Approx. £300m profit hit; >£1bn market value drop; partial insurance compensation |
| Customer Impact | Reassurance emails sent; advised reset of passwords; no evidence of data leak sharing |
| Sector Implications | Highlights third-party risk; led to calls for better cyber resilience and disclosure standards |
Key Takeaways
- The attack exposed systemic vulnerabilities in M&S’s vendor and helpdesk controls, demonstrating the potency of social-engineering-based cyber-attacks.
- While financial and operational recovery is underway, the breach underscores significant reputational and regulatory risks.
- Customers must remain vigilant for phishing and identity fraud attempts using the compromised data.
- The incident has become a high-profile case for cyber-security reform in UK retail—emphasising the need for robust third-party oversight and incident preparedness.
