The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

Cybersecurity Breach of Mark and Spencer Costs £100M

ByHoplon Infosec
Published17 May, 2025
Cybersecurity Breach of Mark and Spencer Costs £100M
Hoplon Infosec17 May, 2025

In April 2025, one of the UK’s most iconic retailers, Marks & Spencer (M&S), fell victim to a devastating cyberattack that disrupted business operations, exposed customer data, and triggered a monumental insurance claim of up to £100 million. This high-profile incident not only shocked millions of loyal customers but also underscored the growing threat of ransomware attacks on the global retail sector.

The breach, linked to the ransomware group DragonForce, has had wide-reaching effects from operational downtime and financial loss to intense public scrutiny and strategic cybersecurity reforms.

How the Cyberattack Unfolded

The cyberattack struck over the Easter bank holiday weekend, beginning on April 19, 2025. M&S publicly acknowledged the attack on April 22, revealing that its digital systems had been severely compromised. Customers trying to place orders through the website or mobile app were met with delays, errors, or complete service blackouts.

Initial investigations pointed to a third-party contractor as the likely entry point for the hackers. The attackers reportedly used sophisticated social engineering techniques to manipulate IT helpdesk staff into resetting internal passwords, allowing the threat actors to gain high-level access to critical systems within M&S’s digital infrastructure.

The malicious group operated undetected for approximately 52 hours, launching a five-day cyber assault that disrupted core services, including online orders, inventory systems, and internal communications.

What Data Was Stolen at the big Cybersecurity Breach of Mark and Spencer?

On May 13, Marks & Spencer revealed that the hackers had exfiltrated personal details of up to 9.4 million customers. While sensitive financial data such as payment card details and passwords were reportedly untouched, the information accessed included:

  • Full names

  • Residential addresses

  • Dates of birth

  • Order histories

  • Email addresses

  • Loyalty card information

Although M&S reassured customers that passwords and card numbers were encrypted and safe, the loss of personal information sparked widespread concern. Cybersecurity experts warn that this kind of data can be leveraged for phishing campaigns, identity theft, or further social engineering attacks.

The breach was especially troubling as it affected M&S’s most loyal customer base people who had regularly interacted with the brand’s digital ecosystem, including its Sparks loyalty program.

Financial Fallout: The Numbers Behind the Crisis

The impact of the cyberattack was not just technological it struck at the heart of M&S’s financial performance. The online retail segment, which generates millions in daily revenue, was non-operational for over three weeks, causing significant sales losses.

Estimates suggest M&S lost approximately £4 million per day during this period. Consequently, the company is expected to report revenue losses in the tens of millions for the second quarter of 2025.

Moreover, the market reacted swiftly. M&S’s share price plunged by 16%, erasing over £1.3 billion from its market capitalization. While the company had recently posted strong financials including an expected £840 million in pre-tax profits for the year the breach could significantly dampen its outlook for the remainder of the fiscal year.

Even executive compensation has been affected. CEO Stuart Machin may lose up to £1.06 million from his pay package due to the performance impact stemming from the breach.

The £100 Million Cyber Insurance Claim

To manage the financial aftermath, Marks & Spencer is preparing an insurance claim of up to £100 million. The company’s cyber insurance policy, arranged by leading broker WTW, covers major cyber incidents, including data breaches, operational disruption, and reputational damage.

Allianz, the lead underwriter, is expected to bear the initial liability, with a £10 million payout anticipated. Other insurers, such as Beazley, may also contribute, depending on the final assessment of damages.

This case is shaping into one of the largest cyber-related insurance claims in UK retail history. It underscores the increasing necessity of comprehensive cyber coverage for large enterprises in today’s volatile digital landscape.

Who Was Behind the Attack?

Cybersecurity firms investigating the breach have linked the attack to DragonForce, a notorious ransomware-as-a-service (RaaS) group that provides hacking tools and malware to affiliated criminal organizations. One such affiliate, Scattered Spider, has become infamous for targeting corporations using social engineering rather than brute-force hacking.

These groups typically use a two-pronged attack strategy:

  1. Encrypting company data with ransomware renders systems unusable.

  2. Stealing data and threatening to release it publicly unless a ransom is paid.

While M&S has not publicly confirmed whether a ransom was demanded or paid, several cybersecurity sources report that the attackers made extortion threats and released samples of stolen data on dark web forums.

Industry-Wide Implications

M&S is not alone. Other major UK retailers, such as Co-op and Harrods, have recently reported similar ransomware incidents, some of which have also been linked to DragonForce or its affiliates. This pattern signals a disturbing trend: retail is becoming a favored target for cybercriminals.

In the United States, Google issued a warning in May 2025 that American retailers could be next. The tech giant identified overlapping tactics and infrastructures being deployed by these hacking groups, highlighting the global nature of the threat.

This cyberattack wave is largely driven by the growing digitalization of retail operations. As stores increasingly rely on online platforms, interconnected supply chains, and cloud-based services, they also expand their attack surfaces, creating more vulnerabilities for hackers to exploit.

What M&S and Others Are Doing in Response

Marks & Spencer has vowed to take “all necessary steps” to reinforce its cybersecurity framework. This includes:

  • Strengthening supply chain security: Reevaluating vendor contracts and demanding stricter compliance from third-party providers.

  • Implementing multi-factor authentication (MFA), particularly for internal administrative access and IT helpdesk functions.

  • Launching staff awareness campaigns: Teaching employees how to recognize phishing attempts and social engineering tactics.

  • Establishing 24/7 threat monitoring teams: Including partnerships with global cybersecurity firms for real-time alerts and intrusion detection.

  • Expanding cyber insurance coverage: Ensuring policies are regularly updated to meet evolving threats and higher risk thresholds.

These strategies reflect a growing consensus in the industry: prevention, rapid detection, and incident response planning are critical in limiting damage from cyberattacks. To be concern; we, “Hoplon Infosec” are specialized on Endpoint security, Mobile Security, Deep & Dark web monitoring as well as AI Management System and ISO Certfications. Our expert team is desicated by 24/7. Feel free for any query

Lessons for Global Businesses M&S Cyberattack

The M&S cyberattack offers essential insights for companies across sectors:

1. Prioritize Third-Party Risk Management

Many breaches begin with compromised contractors or vendors. Businesses must vet, monitor, and audit their third-party partners regularly.

2. Employee Training Is Crucial

Human error remains one of the weakest links in cybersecurity. Simulated phishing campaigns and ongoing training can reduce susceptibility.

3. Cyber Insurance Is a Must

A robust policy can mitigate the devastating financial impact of cyber incidents, particularly in high-risk sectors like retail, finance, and healthcare.

4. Incident Response Plans Save Time and Money

Companies with predefined response protocols can reduce downtime, maintain customer trust, and avoid legal consequences.

Final Thoughts

The cyberattack on Marks & Spencer has served as a wake up call not just for UK retailers, but for companies worldwide. As digital infrastructure becomes more deeply embedded in business models, so too does the risk of cyber threats. Whatever, if you need any consutancy on cybersecuirty, Click here to 👉👉 Book a schedule.

What makes this incident especially alarming is its combination of real-world financial damage, loss of customer trust, and the exposure of millions of private records. M&S is now facing the dual challenge of repairing its reputation and fortifying its digital defenses.

But if there is a silver lining, it is this: by turning the lessons of this crisis into action, M&S and other companies watching closely can emerge more resilient, secure, and better prepared for the next wave of digital threats.

Source:
The Rcord
The Times
Financial Times
The Guardian

About the author

Hoplon Infosec

Hoplon Infosec

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo
Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now
15 Jul, 2026

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now

SonicWall SMA1000 zero-day vulnerabilities are under active attack. See affected versions, CVE details, IOC checks and the patch you need right now.

Read More
Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide
15 Jul, 2026

Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide

Windows 11 KB5101650 is blocked on some Dell PCs after an Intel driver conflict triggered shutdowns and overheating. Here is what happened and what to do.

Read More
OFAC Sanctions First VPN Service Over Ransomware
14 Jul, 2026

OFAC Sanctions First VPN Service Over Ransomware

Learn why OFAC sanctioned First VPN Service and a malware cryptor seller, how 1VPNS helped ransomware groups, and how to defend against FSB router attacks.

Read More
CVE-2026-57807: Critical WordPress SSO Flaw Explained
13 Jul, 2026

CVE-2026-57807: Critical WordPress SSO Flaw Explained

CVE-2026-57807 affects miniOrange OAuth SSO through 38.5.8. Learn who is exposed, how the flaw works, plus safe mitigation and incident response steps.

Read More
Mobile App Security Guide: Risks, Fixes and Best Practices
13 Jul, 2026

Mobile App Security Guide: Risks, Fixes and Best Practices

Mobile app security explained simply, covering real risks, OWASP threats, encryption and practical steps to protect any app from hackers.

Read More
Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims
13 Jul, 2026

Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims

Apple OpenAI lawsuit explained. See what Apple accuses Tang Tan, Chang Liu and OpenAI of stealing, and what it means for hardware security.

Read More