M&S hack: What we can learn

One hack over 3 days can devastate 10 years of progress. In this article, I unpick what went wrong for M&S, clear up the facts and take learnings through into protecting our businesses.

The M&S Cyberattack: Lessons Learned for Business Leaders

In mid-April 2025, British retailer Marks & Spencer (M&S) was hit by a disruptive cyberattack. Customers experienced failures of contactless payments and click-and-collect services over the Easter weekend, and on April 22, the company confirmed it was dealing with a “cyber incident”. Within days, M&S took its online store offline for clothing and home orders (continuing to sell only food), and IT teams worked 24/7 – even sleeping in offices – to contain the breach. Despite extensive cleanup efforts, online services remained down for weeks. On May 13 (more than three weeks later), M&S announced that personal customer data had been exfiltrated by the attackers. This long silence, common in sophisticated breaches, drew scrutiny, and it raised urgent questions: What exactly was stolen? Who was behind the attack? And how should a major brand defend itself moving forward? Below, we unpack what is publicly known or reasonably assumed, fact-check key claims, and draw lessons for other businesses.

What Data Was Stolen – Facts vs. Fear

M&S has acknowledged that some personal customer data was taken, but has repeatedly emphasised what was not taken. According to official statements, the breach exposed names, contact details (addresses, emails, phone numbers), dates of birth and household information, and online order histories. By contrast, no full payment card details or passwords were compromised. M&S clarified that it does not hold full credit-card numbers on its systems; at best, the stolen data may include masked card fragments (e.g. last four digits) or internal reference numbers for store credit cards, which are of no use to fraudsters. In short, the attackers got detailed personal profiles and purchase logs, but not any secret credentials or usable financial data.

• Personal data exposed: Customer names, addresses, emails, phone numbers, dates of birth, household info and purchase history.

• Not exposed: Full credit/debit card numbers, CVV codes, payment PINs or passwords. M&S confirmed that its systems store only masked card fragments (last 4 digits or Sparks Pay references) that would not allow purchases.

• Passwords: M&S insists no online-account passwords were obtained. Customers will be prompted to reset passwords out of precaution, but this is purely a safety measure, not an indication that passwords were stolen.

This fact-check contradicts some alarming headlines.

Multiple reputable sources (BBC, Reuters) quote M&S’s statement that “usable payment or card details… nor any account passwords” were taken. Security analysts echo that assessment: without full card data or credentials, the breach doesn’t give criminals an immediate way to steal money, but it does furnish them with rich personal information that could fuel phishing or identity fraud. In short, only masked card snippets (e.g. expiry dates, last four digits) were at risk – information the retailer itself says is effectively useless to thieves.

Timeline of Response and Disclosure

M&S’s public response unfolded in phases. On April 22, it announced a “cyber incident” (as reported to regulators) but gave few details . By April 25, it had paused online retail orders (though its 1,000 stores remained open, especially for food). Share prices fell as investors feared prolonged downtime. Behind the scenes, a crisis team held round-the-clock meetings (even at midnight on Easter Sunday) to coordinate IT, forensic and PR efforts. Outside cyber experts (CrowdStrike, Microsoft, Fenix24) and government agencies were brought in to investigate.

Despite this flurry of activity, M&S did not confirm customer data theft until May 13. By then, it emailed all registered website users, admitting “unfortunately, some personal customer information has been taken”. This three-week delay sparked debate. On one hand, a deep, stealthy breach can take time to fully understand. Former NCSC head Ciaran Martin observed that “the length of the recovery period… was not unusual” given the need to rebuild networks after a serious attack. Indeed, retail systems were so corrupted that at one point, M&S even re-routed staff to encrypted chat apps (like WhatsApp) to continue work, indicating that normal IT channels were under lockdown.

On the other hand, regulators say breaches should be reported swiftly. UK GDPR requires notifying the Information Commissioner’s Office (ICO) “without undue delay” (typically within 72 hours of discovery) and informing affected customers if there is a high risk to their rights. M&S did report the incident to the NCSC and ICO (the ICO confirmed it received such reports by May 2, but it waited until investigators were sure of the facts before alerting customers. Company spokespeople explained that they were “working around the clock” and would notify people once a data compromise was confirmed. This cautious approach is defensible from a technical standpoint – investigating a complex ransomware attack can legitimately take weeks – but it also frustrated customers and drew criticism. In retrospect, some experts suggest that customers might have been warned earlier to watch for scams, even if the full impact wasn’t yet known.

Attribution: Who Was Behind the Attack?

M&S itself has not named the hacker. However, public clues point to a known pattern of recent attacks. An anonymous criminal group called DragonForce claimed to have hit M&S (and fellow retailers Co-op and Harrods) in an interview with the BBC. DragonForce is a ransomware-as-a-service (RaaS) operation: they provide sophisticated encryption malware that affiliates rent for attacks. In parallel, cybersecurity investigators and the UK’s National Cyber Security Centre (NCSC) have linked the methods to “Scattered Spider” (aka Octo Tempest), a loose collective of (mostly English-speaking) hackers. Scattered Spider is notorious for precisely this kind of retail assault: they use social engineering to trick IT helpdesks into resetting passwords, then quietly harvest credentials and deploy ransomware.

So, what gives confidence in this attribution? It’s a convergence of evidence: the ransomware itself was identified as DragonForce (a fact confirmed by underground intelligence reports), and the spear-phishing tactics match past Scattered Spider campaigns. Google’s threat analysts even warned that Scattered Spider was spreading similar attacks in the US around the same time. The NCSC has noted that recent UK retail hacks fit Scattered Spider’s profile (English-speaking, helpdesk focus), and experts emphasise that tactics are telling: DragonForce tools + Scattered Spider social tricks have appeared together in breaches worldwide.

It’s worth noting that ransomware gangs often publicly claim credit, sometimes boasting of conquests that can’t be immediately verified. For example, DragonForce told the BBC it “stole data on staff and millions of customers from the Co-op” and was behind M&S’s and Harrods’ outages. But law enforcement and security firms usually remain cautious until forensic evidence (malware signatures, stolen file lists, server logs) matches those claims. In this case, independent reports (BleedingComputer, Group-IB and others) assembled enough technical detail (encryption type, attack timeline, stolen AD credentials) to tie the incident to known Scattered Spider affiliates using DragonForce ransomware. For our purposes, we’ll say that the weight of the clues points to the DragonForce/Scattered Spider criminal network. It’s as confident an attribution as one can have without an official investigation report, but of course, all such labels should be treated with caution.

Tactics and Tools: How the Hack Worked

From public disclosures and expert analysis, a technical picture emerges.

The attackers appear to have used social engineering as the initial entry. Reports say they impersonated M&S employees (possibly outsourcing firms or even managers) to the IT help desk, and got staff there to reset passwords or grant elevated access. One national press piece warns all organisations to revisit their helpdesk procedures after these incidents. (For example, staff might now use pre-arranged “code words” or callback verification before resetting a login.) In one documented Scattered Spider pattern, attackers use rapid “MFA bombing” – flooding a person’s phone with two-factor prompts until the user just approves one out of annoyance. Once in, the criminals could compromise an account with broad privileges.

Inside the network, the intruders moved stealthily and gathered intelligence for weeks. According to security reports, they accessed highly sensitive files, including the Active Directory (AD) database (the file NTDS.dit), which contains password hashes for all Windows domain users. By extracting these hashes and cracking them (a relatively inexpensive task with modern GPUs), they gained administrator credentials across M&S’s environment. This let them wander laterally – accessing servers, databases and virtual infrastructure – largely undetected for an extended period.

On April 24, the attack culminated in a ransomware strike. The attackers unleashed the DragonForce ransomware payload, which encrypted many of M&S’s VMware ESXi virtual machines. (ESXi is the hypervisor software that runs multiple virtual servers; encrypting it can effectively lock down an entire data centre.) In addition to encryption, the criminals downloaded and exfiltrated large volumes of data (“double extortion”). Security blogs note this is exactly how DragonForce affiliates have operated elsewhere.

One industry source summarised the modern kill chain succinctly: “Phishing, credential abuse, Cobalt Strike implants, Mimikatz extractions, data staging to cloud storage, followed by selective encryption and ransom leverage”. In other words, the hackers used off-the-shelf tools and techniques (no zero-day exploits needed) but combined them in a well-orchestrated way. As one expert put it, the real failure was “organisational blindness” to unusual behaviour and lax identity workflows, rather than any novel malware.

The use of ransomware-as-a-service also speaks to attacker sophistication: DragonForce provides a polished platform that even mid-level cybercriminals can rent, paying a cut to the creators. This allows them to field advanced encryption without writing it themselves. It’s notable that M&S’s attackers were skilled at two things – people-hacking (getting around helpdesk security) and ransomware deployment – but relied on common hacking tools. The end result was a high-impact disruption engineered with surprisingly commodity methods.

Impact on M&S: Trust, Costs, and Resilience

The immediate impact on M&S has been severe. Online clothing and home orders (nearly one-third of their sales) were frozen for weeks, costing an estimated £30–£40 million per week in lost business. One analyst notes that the company was seeing “£40 million a week in lost sales” while scrambling in crisis meetings around the clock. By May, the share price had fallen roughly 15% from its pre-incident level, erasing hundreds of millions of pounds in market value. (Reports suggest insurers may end up covering losses on the order of £100 million, including business interruption and data liability costs) Beyond the spreadsheet, there’s the harder-to-measure cost to brand trust.

M&S is a household name built on quality and service; customers expect it to protect their data and to keep its stores and systems running smoothly. Analysts warn that this incident is a “bruise” to the brand’s image. As one retail expert put it, customers will forgive a lot if a firm responds quickly and openly, but they’ll remember being locked out of services or having data stolen. Kate Hardcastle of Insight with Passion remarked that if the situation is handled transparently, it “can be just a bruise rather than a lasting scar”. However, she cautioned that prolonged outages or perceived secrecy would “shake confidence” in the brand.

Operationally, M&S showed resilience in some respects: its 1,000 stores (especially food halls and cafes) remained open, and it had planned backup procedures (e.g. cash registers offline, manual processes) to keep essentials selling. The Standard newspaper notes M&S had even war-gamed a cyberattack drill the year before. Yet the reality proved chaotic: insiders describe teams switching to personal devices and improvised communications to keep up daily operations. This underscores that resilience is a combination of technical systems and practised human plans. Even with robust plans on paper, the sheer scale of locking down and then rebuilding a retail IT network caused unprecedented strain.

Finally, regulatory and legal ramifications loom.

Under UK GDPR, M&S will have to demonstrate that it reported the breach promptly and took appropriate mitigation steps. If authorities find fault (e.g. unreasonable delay in notification), penalties could be significant (up to 4% of turnover). So far, the ICO and National Crime Agency have been notified and are looking into it. The company’s willingness to accept regulatory inquiries and its cooperation will influence both fines and public reputation. In any event, the cost of this breach – direct and reputational – will be counted in years to come.

Strengthening Cybersecurity: Best Practices for Prevention and Response

The M&S incident offers a stark reminder that even major, well-prepared businesses are at risk. For any organisation with a valuable brand and complex IT systems, building a robust cybersecurity posture is essential. Below are key areas to focus on:

1. Penetration Testing and Red Teaming

Regularly test your defences by simulating attacks. Hire external penetration testers or red teams to probe networks, applications and cloud services. Include infrastructure components and even third-party integrations. These exercises reveal hidden vulnerabilities before real attackers exploit them. After major system upgrades or once a year at minimum, repeat the tests and address any gaps uncovered. (In practice, this might include both automated vulnerability scans and human-led security audits).

2. Identity and Access Management

Implement strict onboarding and offboarding procedures. Every time an employee or contractor joins or leaves, immediately grant or remove access rights. Use the principle of least privilege: people (and systems) should have only the minimum access needed for their roles. Mandate strong multi-factor authentication (MFA) for all sensitive logins (especially for administrators and remote access). In light of these attacks, consider moving away from SMS/email 2FA toward phishing-resistant methods (hardware tokens or FIDO keys) . Crucially, tighten help-desk protocols: require code words, out-of-band callbacks or other robust identity proof before resetting any password or granting access. (For example, the UK NCSC now advises setting up secret verification phrases that staff must use when IT support calls them back) These steps prevent attackers from easily social-engineering their way into admin accounts.

3. Data Architecture and Network Segmentation

Design your network so that no single breach can cripple everything. Put critical systems (e.g. payment processing, customer databases, administrative controls) on segmented subnets or VLANs. Limit communication between segments: for instance, the e-commerce web servers should not sit on the same flat network as HR or vendor portals. Store valuable data (customer PII, financial records) in separate databases behind dedicated firewalls. Keep offline, encrypted backups of important data in physically isolated locations. This way, even if attackers penetrate one segment, they cannot easily hop to others without further credentials.

4. Vulnerability Management (Technical and Human)

• Technical vulnerabilities: Keep all software fully patched. Track critical third-party libraries, OS, firmware and apply security updates in a timely manner. Adopt secure development practices: use code reviews, static analysis tools, and staging environments. Run regular automated vulnerability scans.

• Human vulnerabilities: People are often the weakest link. Provide ongoing security awareness training to all staff.

• Conduct frequent phishing simulations to test and teach employees. (As one expert recommended, train people on psychological tricks and simulate attacks regularly)

• Cultivate a culture where staff feel comfortable reporting suspicious emails or behaviours without fear. Remember: no amount of technical controls will stop an attacker who calls the helpdesk and convinces someone he is the CTO, unless your people are trained to verify identities.

5. Third-Party and Supply Chain Security

No company is an island; many rely on suppliers, contractors and service providers. M&S itself worked with multiple outside partners, but the attackers apparently exploited weaknesses in M&S’s own processes rather than directly hacking a vendor. Nonetheless, treat third parties with caution. Maintain an inventory of all third-party relationships that have network or data access. Require that vendors adhere to high security standards (for example, ISO 27001 certification or similar). Limit each vendor’s privileges to what’s strictly necessary; never give a supplier blanket trust to access your core systems. Conduct security due diligence before onboarding a new partner. As one industry analyst warned, retailers often “engage with multiple third-party dependencies”, and a vulnerability in one partner can create a “downstream effect” on all linked businesses. In fact, recent data shows that over half of breaches in the retail sector involve third-party access. To close this gap, also ensure your cyber insurance policies explicitly cover third-party incidents and dependent business interruption.

6. Change and Release Management

Control how software and infrastructure changes are deployed. Use formal version-control systems and continuous integration pipelines with automated testing. Require code reviews and security sign-off before any new code or configuration hits production. Schedule regular maintenance windows for updates, and never allow untested “patches” during an emergency without follow-up audits. A well-governed change process reduces the chance that a faulty update creates a hole. It also makes it easier to roll back or fix deployments that introduce problems. (In M&S’s case, some fixes may have had to be undone once it was clear the breach was ongoing.)

7. Backup, Disaster Recovery, and Business Continuity

Prepare for the worst by having robust recovery plans. Maintain regular, encrypted backups of all critical data and systems, and store those backups off-network (air-gapped if possible). Periodically test your disaster-recovery procedure by restoring systems from backups to a separate environment. Develop and drill incident response playbooks so that key staff know their roles (who leads technical recovery, who communicates with customers/authorities, etc.). As soon as a breach is detected, activate your business continuity plan: isolate affected systems, switch to manual operations if needed, and notify stakeholders (including legal and PR) in a coordinated way. Document every step taken (forensics requires audit trails). M&S had drilled cyberattacks before, but the reality still caused “pure chaos” internally. Regular tabletop exercises can help ensure that chaos is limited when a real incident strikes.

8. Monitoring, Alerting and Auditability

You cannot protect what you don’t see. Implement centralised logging and real-time monitoring of your network and applications. Collect logs from firewalls, servers, authentication systems and crucial applications into a Security Information and Event Management (SIEM) tool. Configure alerts for anomalous activities – for example, a rapid succession of failed logins, a user downloading unusually large amounts of data, or access from an unexpected location. Ensure logs are tamper-proof (write-once or off-site storage) so they can be trusted in an investigation. In the M&S attack, the presence of an Active Directory intrusion suggests that continuous logging (and monitoring tools that flag password dump attempts) could potentially have detected the breach sooner. In general, good “observability” allows you to spot intruders before they hit the final stage of encryption.

9. Network Segmentation and Zero Trust Architecture

Traditional perimeter defences are not enough in today’s threat environment. Enforce internal firewalls between departments and applications. Treat every network segment as untrusted by default. Implement a zero-trust model where every access request (inside or outside the LAN) must be authenticated and authorised. For example, use mutual TLS or VPNs for internal service calls, micro-segment your data centre, and restrict east-west traffic with strict policies. In practical terms, this means even if attackers breach one server or subnet, they cannot roam freely to the rest of the network without overcoming additional hurdles. A zero trust policy might also apply “biologically” to people: do not automatically trust an on-site contractor or even a CEO’s request without verification. Modern architectures can incorporate hardware security keys, device posture checks, and continuous re-validation of credentials. (During the M&S incident, security experts suggested banning weak MFA methods like SMS codes and moving to more robust authenticators)

10. Governance, Training, and Culture

Finally, cybersecurity must be owned at the highest levels. Assign a clear leader (CISO or equivalent) with direct access to the board or CEO, who can marshal resources and enforce policies across departments. Define a dedicated incident response team (IT security, legal, communications, HR, etc.) and make sure everyone knows their role. Review all security controls and policies regularly – at least annually, or whenever major changes occur – to adapt to new threats. Invest in continuous training: conduct phishing awareness campaigns, tabletop exercises for executives, and rewards for reporting suspicious activities. Remember that many vulnerabilities are human (so-called “bio” factors): encourage a culture where asking “Why is this password reset needed?” is normal, not rude.

The balance of preventative versus reactive measures is key. While M&S’s planners had incident response drills (reactive), the attack still exploited preventable gaps (like helpdesk trust). The cost of preventive measures (firewalls, audits, training) is far less than the cost of an outage and breach fine. Therefore, treat cybersecurity as a core strategic investment, not just an IT project. Keep threat intelligence feeds active so you know what new attack trends are emerging, and be ready to iterate on your defences.

Conclusion

The Marks & Spencer cyberattack serves as a wake-up call for all organisations with valuable brands. It shows that even well-known companies can be brought to their knees by a sophisticated but fundamentally human-driven scheme. For business leaders and CTOs, the lessons are clear: verify every assumption, limit trust, and prepare relentlessly. By dissecting the M&S breach, we see both the risks and the remedies. Only by combining strong technical safeguards with vigilant processes and a security-aware culture can any business hope to avoid a similar fate. Future attacks are not a matter of if, but when – and today’s lessons are the best defence.