Hoplon InfoSec
01 May, 2025
British retail giant Marks & Spencer (M&S) faces one of its biggest crises. A devastating cyberattack has sent shockwaves through its operations, leaving customers frustrated, shelves empty, and the company’s profits plummeting. From frozen food counters to a paralyzed online store, the damage from the digital breach is wide-reaching. The incident, which began over the Easter weekend, has left the high street staple scrambling to restore its services, but the fallout is far from over. The story of M&S’s cyberattack reveals how vulnerable even the most established brands are in today’s digital age—and how significant the consequences can be when systems are breached.
Marks & Spencer’s troubles began around Easter when customers reported contactless payment and the Click & Collect service issues. These early signs of a cyberattack didn’t seem as catastrophic at first, but as the days passed, the scope of the attack became clearer.
On April 25, Marks & Spencer decided to stop accepting online orders through its website, app, and phone channels, signaling a deeper issue than initially apparent. The company touted this decision as a “proactive” move to control the situation, but it hinted at the absolute chaos unfolding behind the scenes.
By April 30, the signs of the attack were unmistakable. Empty shelves and shuttered food counters became common across many of its stores. Hot food counters, once bustling with customers, were temporarily shut down.
Notices in-store read, “Due to technical issues, we cannot offer these products now. We’re working hard to resolve the problem and will have these items back in stock as quickly as possible.”
The company’s decision to take some systems offline as part of its response to the cyberattack also led to widespread store disruption. Staff had to manually monitor chillers, with the fear that automatic defrost alarms were no longer functioning. Even Marks & Spencer’s charitable donations, which had long been a part of its community engagement efforts, were put on hold as logistical systems failed.
While the issues in stores became increasingly visible, the damage to the online platform was equally devastating. The disruption to online sales came at an incredibly inopportune moment, especially with warmer spring weather encouraging customers to purchase new clothing and home goods.
While M&S has remained tight-lipped about the specifics of the breach, cybersecurity experts have quickly pieced together the nature of the attack. Clearly, the attack was ransomware—hackers infiltrate a company’s systems, encrypt vital data, and demand payment to restore access. But who were the culprits behind this sophisticated operation? According to reports, the group behind the attack is Scattered Spider, a notorious hacking group believed to be composed of young cybercriminals, some reportedly as young as 16.
The hackers accessed Marks & Spencer’s systems as early as February. However, the real damage occurred on April 24, when they allegedly deployed a tool known as DragonForce, a program that is often used in ransomware attacks. Once DragonForce was in play, the hackers encrypted large volumes of data and effectively held M&S’s digital systems hostage. Although there’s no confirmed leak of sensitive information, the possibility of personal data exposure on the dark web remains a primary concern. The breach has caused significant damage to M&S’s digital infrastructure, and it’s clear that this attack is far from the work of amateur hackers.
To address the attack and mitigate further damage, M&S is now working closely with the National Cyber Security Centre (NCSC) and private cybersecurity experts. However, experts agree that this type of breach is a growing concern for businesses, especially those that rely heavily on digital infrastructure.
The financial toll of the cyberattack on M&S has been catastrophic. Since the attack began, the retailer’s stock has dropped by 6.5%, wiping out more than £500 million in market value. But the damage extends far beyond stock prices. Reports suggest that Marks & Spencer is losing around £3.8 million per day in lost online sales—exceptionally hard-hitting for a company that relies heavily on its online platform. M&S’s latest financial statements show that about a third of the company’s clothing and homeware sales are made through its online channels, worth roughly £1.2 billion annually.
The timing couldn’t have been worse for Marks & Spencer, as the company is now missing out on a crucial sales period: the spring fashion season. Many customers who would have turned to M&S for new clothing are likely opting for its competitors, who can deliver products without delay. Marketing expert Catherine Shuttleworth noted, “Given the ‘buy it now’ culture, other retailers will benefit from this opportunity.”
For a retailer like M&S, losing out on spring sales during an already challenging retail environment could have long-lasting repercussions. The company’s reputation, once solid, now faces a “bruise,” according to analysts. Still, Marks & Spencer’s loyal customer base may offer some leniency due to the company’s long-standing presence in the market.
The cyberattack’s effects are not limited to the stores and online platforms. M&S’s logistical operations have also been heavily disrupted. Temporary staff at the company’s Castle Donington logistics hub, located in the East Midlands, were told to stay at home as the cyberattack crippled systems at the key site. M&S had hoped to keep its logistics running smoothly despite the cyberattack, but delays and confusion have rendered this impossible.
The attack has also impacted M&S’s grocery business. The company supplies products to online grocery partner Ocado, which delivers M&S groceries to customers. M&S has confirmed that a small portion of products being provided to Ocado have been affected, but the retailer hasn’t disclosed which specific products are impacted. Even the company’s hiring efforts have been put on hold due to the disruption. M&S removed all job postings from its website, citing ongoing technical issues.
Despite the growing impact of the cyberattack, M&S has been eerily quiet in terms of public communication. The company has issued only two public statements since April 25, leaving customers and analysts in the dark about the full scale of the attack and what steps M&S is taking to fix the problem. This lack of transparency is concerning, especially given the magnitude of the breach.
Consumer expert Kate Hardcastle explained, “In today’s hyper-connected world, silence can be unsettling, particularly when trust and transparency are the most valuable commodities a brand can offer.” Financial analyst Susannah Streeter added, “Good communication and transparency will restore confidence in the company and its systems. The longer M&S remains silent, the more likely the reputation will suffer further damage.
While M&S has largely informed suppliers about the attack, the situation has also left them on edge. The Green, CEO of the beauty brand Nails Inc., expressed concern about the disruption to M&S’s operations but said it would only have a “single-digit” percentage impact on her business. However, with new product launches on the horizon, even minor delays can have significant consequences.
M&S’s stores, especially those in the food sector, are equally concerned about the cyberattack’s long-term effects. The retailer’s supply chain and logistics networks have been left in disarray, raising questions about how M&S will manage its operations in the future.
Customers can now browse products online without placing orders or tracking previous ones. A message on the M&S website reads: “As part of our proactive management of a cyber incident, we have decided to pause taking orders via our M&S.com websites, apps, and over the phone.” This message reflects the company’s intent to contain the damage, but it also signals how severely the breach has impacted M&S’s platform.
Despite these challenges, M&S has assured customers that they need not take any action and that the team is working “extremely hard” to “restore online shopping as quickly as possible. However, as the days drag on, customers’ frustration grows.
While the damage is already significant, the question remains: can M&S recover from this cyberattack? Whether or not the company can regain consumer trust and stabilize its operations depends on how quickly it can resolve the current issues and how transparently it communicates with customers in the coming weeks. With cybersecurity teams on board and crisis management underway, all eyes are on the brand’s first move.
This cyberattack is a stark reminder of the growing threats businesses face in the digital age. It’s a wake-up call not only for M&S but for retailers everywhere. Cyberattacks are no longer rare incidents but are becoming an increasingly common reality. Companies must prioritize cybersecurity and take steps to fortify their digital defenses.
The M&S cyberattack will likely be studied for years as a case study on how a major brand can fall victim to young, tech-savvy hackers—and how recovery demands technical expertise and human transparency.
Share this :