On 8 July, Marks & Spencer publicly confirmed the cause and scale of the cyberattack that crippled its online retail operations for over six weeks. The breach, first detected in late April, was traced to a targeted impersonation campaign linked to the Scattered Spider group, a known ransomware-as-a-service (RaaS) affiliate. The group deployed DragonForce ransomware following a successful social engineering compromise, marking one of the most severe cyber incidents to impact a major UK retailer this decade.
The Attack Path: From Impersonation to Ransomware
The compromise began with a simple but highly effective tactic: impersonation. Threat actors posing as an M&S employee contacted a third-party provider and convinced them to reset access credentials. The vendor, unaware of the deception, granted the request, unknowingly handing over a critical entry point. This allowed the attackers to escalate privileges and move laterally across connected systems.
The objective was clear. Once the attackers had access, they deployed DragonForce ransomware to encrypt key digital infrastructure, including customer-facing platforms, backend systems, and internal coordination tools. This halted online shopping entirely and disrupted click-and-collect, delivery fulfilment, and returns management.
What makes this incident particularly notable is that the attackers did not rely on a traditional technical vulnerability. The breach exploited a procedural weakness, not a misconfigured firewall or unpatched server. This is emblematic of a broader industry trend: threat actors are bypassing hardened technical controls by targeting the human layer.
Organisational Fallout
Marks & Spencer estimates up to £300 million in lost profit tied directly to the attack. While stores remained operational, online retail; spanning food, clothing, and home, was offline for more than six weeks during key trading periods. Attempts to shift demand back to physical channels led to logistical strain and customer dissatisfaction.
M&S confirmed that it had no intention of negotiating with the attackers. All relevant information was handed to the National Cyber Security Centre (NCSC) and the FBI. The company has not confirmed whether any customer data was exfiltrated, although insiders have noted ongoing audits into potential data exposure.
Chairman Archie Norman described the breach as “deeply distressing” and admitted that the company “could have done more” to prevent it. As recovery continues, internal resources remain tied up in forensic analysis, infrastructure rebuilding, and reviews of third-party contracts.
Rebuilding Trust and Resilience
The path to recovery for M&S will likely stretch well into Q4. Current efforts are focused on restoring service reliability, reducing customer churn, and tightening internal controls. Meanwhile, external scrutiny from regulators, partners, and the public is intensifying.
This incident is expected to drive permanent change in how the business approaches digital risk. Executive leadership will be under pressure to demonstrate tangible improvements in breach prevention, detection, and response capability.
What does this signal for UK enterprises?
The M&S attack reinforces a critical point: attackers are increasingly targeting people and processes rather than technology alone. Impersonation, vendor manipulation, and communication compromise are now mainstream tactics. Mid-sized and large enterprises must shift their focus accordingly.
The fundamentals: identity, access, verification, and escalation, must be re-evaluated at the operational level. A few key lessons and recommendations include:
1. Treat Identity as a Threat Vector
Even the most advanced technical controls can be bypassed if identity is compromised. Implement multi-factor authentication (MFA) across all internal and external accounts, especially those with privileged access. Ensure vendors are also held to the same standard.
2. Tighten Third-Party Interaction Protocols
Vendors and third-party suppliers should not be able to make access changes without multiple layers of verification and authorisation. Enforce procedural controls, such as mandatory dual-approval workflows and call-back confirmation for critical access changes.
3. Conduct Regular Human-Focused Testing
Run quarterly phishing simulations and social engineering drills. Test not just employees, but also contractors and vendors. Awareness training must move beyond compliance exercises and focus on real-world threat behaviours.
4. Review Incident Response Readiness
An incident response plan is only helpful if it is actionable under pressure. Conduct tabletop exercises that simulate modern attack types—impersonation, insider threats, lateral movement—and assess decision-making chains.
5. Prioritise Detection of Non-Malware Intrusions
Solutions that rely solely on malware signatures will miss threats like this. Invest in behaviour-based detection tools that can flag anomalous access patterns, credential misuse, or unauthorised escalation even when no malicious software is present.
6. Build a Culture of Interruption
Make it culturally acceptable to challenge and verify. Employees and partners must feel empowered to stop a process—even one that seems routine—if something feels off. This cannot be mandated; it must be modelled from the top.
7. Align Cyber Resilience with Financial Risk
Treat cybersecurity failure as a material financial risk. This means integrating cyber scenarios into business continuity planning, financial forecasting, and insurance coverage. Quantify the cost of outages and model their impact on shareholder value.
What to Expect Next
M&S is likely to face parliamentary scrutiny in the coming months, and this may lead to broader regulatory consequences for supply chain accountability in the retail sector. Insurers, auditors, and risk committees will take a far greater interest in social engineering defence and third-party verification protocols. As similar impersonation attacks continue to rise across the UK market, leadership teams will be under pressure to demonstrate proactive, not reactive, cyber governance.
Speak to an expert about securing your business from supply-chain security to threat remediation and response.
.png?width=55&height=41&name=conosco_icon_lightbg%20(1).png "conosco_icon_lightbg (1)"){kind=icon}
