By Peter Stollery

The Marks & Spencer Breach: A Wake-Up Call for the UK Retail Sector

The Marks & Spencer Breach: A Wake-Up Call for the UK Retail Sector

With the Marks & Spencer's breach being one of most recent breaches in the news, I wanted to investigate and have a look at what occurred.

For those who live outside of the UK or just under a rock, Marks & Spencer's are one of the largest retailers here. In late April this year (2025), they experienced a breach that persisted for weeks. This breach caused widespread financial, operational and reputational damage.

Let me provide a little bit more incite into M&S:

"Marks and Spencer plc (commonly abbreviated to M&S and colloquially known as Marks or Marks & Sparks) is a major British multinational retailer based in London, England, that specialises in selling clothing, beauty products, home products and food products. It is listed on the London Stock Exchange (LSE) and is a constituent of the FTSE 100 Index." [1]

Let's look at a timeline for the breach:

  • 22nd April 2025: The incident began with a social engineering attack (T1566, Initial Access). Callers impersonated employees in calls to the service desk convincing staff to reset internal account passwords (T1078, Valid Accounts). This led to unauthorised access to the internal network (Lateral Movement). [2][3]
  • The malware used in the attack was linked to DragonForce, a RaaS (ransomware-as-a-service) provider. This ransomware encrypted key operational files (T1486, Data Encrypted for Impact), deleted backups (T1490, Inhibit System Recovery), disabled antivirus tools (T1562, Impair Defenses), and exfiltrated sensitive data for extortion (T1041, Exfiltration Over C2 Channel). [3]
  • There are links to Scattered Spider (also known as UNC3944, Octo Tempest, Muddled Libra, Star Fraud, and Oktapus), a notorious cybercriminal collective with a history of targeting large enterprises using sophisticated social engineering tactics. [3]

The Impact

The financial impact was substantial. While M&S has not full restored digital and in-store services as of early this month (May 2025), we know that the financial impact has been huge. The share price tanked $715 million in value in the days following the initial breach. [3][4]

Not only was the financial impact huge, but as previously mentioned the attack caused system paralysis across the company, from online orders to contactless payments. This led to customers experiencing checkout failures, empty shelves and delivery delays. [3][5]

Further to the impact, names and contact details of over 900 employees were exposed. As yet, there is no confirmation that passwords, bank details, or transaction histories were compromised. [2][4][5]

The M&S breach was part of a coordinated wave of cyberattacks on the UK retail sector, also affecting Co-op and Harrods [4][5].

The National Cyber Security Centre (NCSC) has recommended that all companies review their help desk processes to detect and block these types of breaches.

Key Takeaways:

  • We are only as strong as our weakest link. Human error seems to still be a large issue. Therefore, the importance of ongoing cybersecurity awareness training is paramount.
  • Simulate real-world attacks. Regular social engineering penetration tests and table-top simulations can prepare the service desk on how to handle these attack vectors.
  • Harden your systems. Multi-factor authentication (MFA) must be enforced, and incident response plans should be continuously tested and improved.

Conclusion

The 2025 M&S cyberbreach stands as one of the most disruptive retail cyber incidents in recent UK history. It exposed critical vulnerabilities in identity verification and incident preparedness, resulting in severe operational, financial, and reputational damage. This is a wake-up call to ensure systems are hardened and employees are trained.

References

[1] Wikipedia, 2025. Marks & Spencer. [online] Available at: https://en.wikipedia.org/wiki/Marks_%26_Spencer [Accessed 12 May 2025].

[2] Reuters, 2025. M&S, Co-op cyberattackers duped IT help desks into resetting passwords, says report. [online] 6 May. Available at: https://www.reuters.com/business/retail-consumer/ms-co-op-cyberattackers-duped-it-help-desks-into-resetting-passwords-says-report-2025-05-06/ [Accessed 12 May 2025].

[3] Altr, 2025. Lessons from the M&S Data Breach. [online] Available at: https://altr.com/blog/lessons-from-the-ms-data-breach/ [Accessed 12 May 2025].

[4] Computer Weekly, 2025. Chaos spreads at Co-op, M&S following DragonForce attacks. [online] Available at: https://www.computerweekly.com/news/366623685/Chaos-spreads-at-Co-op-MS-following-DragonForce-attacks [Accessed 12 May 2025].

[5] The420.in, 2025. DragonForce Cyberattacks: Co-op, M&S, Harrods Customer Data Leak – UK Retail Hit. [online] Available at: https://the420.in/dragonforce-cyberattacks-co-op-ms-harrods-customer-data-leak-uk-retail-hit/ [Accessed 12 May 2025].

Previous

Hands-On Cloud Security with AWS: VPCs, NACLs, and More