In April 2025, one of the UK’s most iconic retailers, Marks & Spencer (M&S), fell victim to a devastating cyberattack that disrupted business operations, exposed customer data, and triggered a monumental insurance claim of up to £100 million. This high-profile incident not only shocked millions of loyal customers but also underscored the growing threat of ransomware attacks on the global retail sector.
The breach, linked to the ransomware group DragonForce, has had wide-reaching effects from operational downtime and financial loss to intense public scrutiny and strategic cybersecurity reforms.
How the Cyberattack Unfolded
The cyberattack struck over the Easter bank holiday weekend, beginning on April 19, 2025. M&S publicly acknowledged the attack on April 22, revealing that its digital systems had been severely compromised. Customers trying to place orders through the website or mobile app were met with delays, errors, or complete service blackouts.
Initial investigations pointed to a third-party contractor as the likely entry point for the hackers. The attackers reportedly used sophisticated social engineering techniques to manipulate IT helpdesk staff into resetting internal passwords, allowing the threat actors to gain high-level access to critical systems within M&S’s digital infrastructure.
The malicious group operated undetected for approximately 52 hours, launching a five-day cyber assault that disrupted core services, including online orders, inventory systems, and internal communications.
What Data Was Stolen at the big Cybersecurity Breach of Mark and Spencer?
On May 13, Marks & Spencer revealed that the hackers had exfiltrated personal details of up to 9.4 million customers. While sensitive financial data such as payment card details and passwords were reportedly untouched, the information accessed included:
- Full names
- Residential addresses
- Dates of birth
- Order histories
- Email addresses
- Loyalty card information
Although M&S reassured customers that passwords and card numbers were encrypted and safe, the loss of personal information sparked widespread concern. Cybersecurity experts warn that this kind of data can be leveraged for phishing campaigns, identity theft, or further social engineering attacks.
The breach was especially troubling as it affected M&S’s most loyal customer base people who had regularly interacted with the brand’s digital ecosystem, including its Sparks loyalty program.
Financial Fallout: The Numbers Behind the Crisis
The impact of the cyberattack was not just technological it struck at the heart of M&S’s financial performance. The online retail segment, which generates millions in daily revenue, was non-operational for over three weeks, causing significant sales losses.
Estimates suggest M&S lost approximately £4 million per day during this period. Consequently, the company is expected to report revenue losses in the tens of millions for the second quarter of 2025.
Moreover, the market reacted swiftly. M&S’s share price plunged by 16%, erasing over £1.3 billion from its market capitalization. While the company had recently posted strong financials including an expected £840 million in pre-tax profits for the year the breach could significantly dampen its outlook for the remainder of the fiscal year.
Even executive compensation has been affected. CEO Stuart Machin may lose up to £1.06 million from his pay package due to the performance impact stemming from the breach.
The £100 Million Cyber Insurance Claim
To manage the financial aftermath, Marks & Spencer is preparing an insurance claim of up to £100 million. The company’s cyber insurance policy, arranged by leading broker WTW, covers major cyber incidents, including data breaches, operational disruption, and reputational damage.
Allianz, the lead underwriter, is expected to bear the initial liability, with a £10 million payout anticipated. Other insurers, such as Beazley, may also contribute, depending on the final assessment of damages.
This case is shaping into one of the largest cyber-related insurance claims in UK retail history. It underscores the increasing necessity of comprehensive cyber coverage for large enterprises in today’s volatile digital landscape.
Who Was Behind the Attack?
Cybersecurity firms investigating the breach have linked the attack to DragonForce, a notorious ransomware-as-a-service (RaaS) group that provides hacking tools and malware to affiliated criminal organizations. One such affiliate, Scattered Spider, has become infamous for targeting corporations using social engineering rather than brute-force hacking.
These groups typically use a two-pronged attack strategy:
- Encrypting company data with ransomware renders systems unusable.
- Stealing data and threatening to release it publicly unless a ransom is paid.
While M&S has not publicly confirmed whether a ransom was demanded or paid, several cybersecurity sources report that the attackers made extortion threats and released samples of stolen data on dark web forums.
Industry-Wide Implications
M&S is not alone. Other major UK retailers, such as Co-op and Harrods, have recently reported similar ransomware incidents, some of which have also been linked to DragonForce or its affiliates. This pattern signals a disturbing trend: retail is becoming a favored target for cybercriminals.
In the United States, Google issued a warning in May 2025 that American retailers could be next. The tech giant identified overlapping tactics and infrastructures being deployed by these hacking groups, highlighting the global nature of the threat.
This cyberattack wave is largely driven by the growing digitalization of retail operations. As stores increasingly rely on online platforms, interconnected supply chains, and cloud-based services, they also expand their attack surfaces, creating more vulnerabilities for hackers to exploit.
What M&S and Others Are Doing in Response
Marks & Spencer has vowed to take “all necessary steps” to reinforce its cybersecurity framework. This includes:
- Strengthening supply chain security: Reevaluating vendor contracts and demanding stricter compliance from third-party providers.
- Implementing multi-factor authentication (MFA), particularly for internal administrative access and IT helpdesk functions.
- Launching staff awareness campaigns: Teaching employees how to recognize phishing attempts and social engineering tactics.
- Establishing 24/7 threat monitoring teams: Including partnerships with global cybersecurity firms for real-time alerts and intrusion detection.
- Expanding cyber insurance coverage: Ensuring policies are regularly updated to meet evolving threats and higher risk thresholds.
These strategies reflect a growing consensus in the industry: prevention, rapid detection, and incident response planning are critical in limiting damage from cyberattacks. To be concern; we, “Hoplon Infosec” are specialized on Endpoint security, Mobile Security, Deep & Dark web monitoring as well as AI Management System and ISO Certfications. Our expert team is desicated by 24/7. Feel free for any query
Lessons for Global Businesses M&S Cyberattack
The M&S cyberattack offers essential insights for companies across sectors:
1. Prioritize Third-Party Risk Management
Many breaches begin with compromised contractors or vendors. Businesses must vet, monitor, and audit their third-party partners regularly.
2. Employee Training Is Crucial
Human error remains one of the weakest links in cybersecurity. Simulated phishing campaigns and ongoing training can reduce susceptibility.
3. Cyber Insurance Is a Must
A robust policy can mitigate the devastating financial impact of cyber incidents, particularly in high-risk sectors like retail, finance, and healthcare.
4. Incident Response Plans Save Time and Money
Companies with predefined response protocols can reduce downtime, maintain customer trust, and avoid legal consequences.
Final Thoughts
The cyberattack on Marks & Spencer has served as a wake up call not just for UK retailers, but for companies worldwide. As digital infrastructure becomes more deeply embedded in business models, so too does the risk of cyber threats. Whatever, if you need any consutancy on cybersecuirty, Click here to 👉👉 Book a schedule.
What makes this incident especially alarming is its combination of real-world financial damage, loss of customer trust, and the exposure of millions of private records. M&S is now facing the dual challenge of repairing its reputation and fortifying its digital defenses.
But if there is a silver lining, it is this: by turning the lessons of this crisis into action, M&S and other companies watching closely can emerge more resilient, secure, and better prepared for the next wave of digital threats.
