On 8 July, Marks & Spencer publicly confirmed the cause and scale of the cyberattack that crippled its online retail operations for over six weeks. The breach, first detected in late April, was traced to a targeted impersonation campaign linked to the Scattered Spider group, a known ransomware-as-a-service (RaaS) affiliate. The group deployed DragonForce ransomware following a successful social engineering compromise, marking one of the most severe cyber incidents to impact a major UK retailer this decade.
The compromise began with a simple but highly effective tactic: impersonation. Threat actors posing as an M&S employee contacted a third-party provider and convinced them to reset access credentials. The vendor, unaware of the deception, granted the request, unknowingly handing over a critical entry point. This allowed the attackers to escalate privileges and move laterally across connected systems.
The objective was clear. Once the attackers had access, they deployed DragonForce ransomware to encrypt key digital infrastructure, including customer-facing platforms, backend systems, and internal coordination tools. This halted online shopping entirely and disrupted click-and-collect, delivery fulfilment, and returns management.
What makes this incident particularly notable is that the attackers did not rely on a traditional technical vulnerability. The breach exploited a procedural weakness, not a misconfigured firewall or unpatched server. This is emblematic of a broader industry trend: threat actors are bypassing hardened technical controls by targeting the human layer.
Marks & Spencer estimates up to £300 million in lost profit tied directly to the attack. While stores remained operational, online retail; spanning food, clothing, and home, was offline for more than six weeks during key trading periods. Attempts to shift demand back to physical channels led to logistical strain and customer dissatisfaction.
M&S confirmed that it had no intention of negotiating with the attackers. All relevant information was handed to the National Cyber Security Centre (NCSC) and the FBI. The company has not confirmed whether any customer data was exfiltrated, although insiders have noted ongoing audits into potential data exposure.
Chairman Archie Norman described the breach as “deeply distressing” and admitted that the company “could have done more” to prevent it. As recovery continues, internal resources remain tied up in forensic analysis, infrastructure rebuilding, and reviews of third-party contracts.
The path to recovery for M&S will likely stretch well into Q4. Current efforts are focused on restoring service reliability, reducing customer churn, and tightening internal controls. Meanwhile, external scrutiny from regulators, partners, and the public is intensifying.
This incident is expected to drive permanent change in how the business approaches digital risk. Executive leadership will be under pressure to demonstrate tangible improvements in breach prevention, detection, and response capability.
The M&S attack reinforces a critical point: attackers are increasingly targeting people and processes rather than technology alone. Impersonation, vendor manipulation, and communication compromise are now mainstream tactics. Mid-sized and large enterprises must shift their focus accordingly.
The fundamentals: identity, access, verification, and escalation, must be re-evaluated at the operational level. A few key lessons and recommendations include:
Even the most advanced technical controls can be bypassed if identity is compromised. Implement multi-factor authentication (MFA) across all internal and external accounts, especially those with privileged access. Ensure vendors are also held to the same standard.
Vendors and third-party suppliers should not be able to make access changes without multiple layers of verification and authorisation. Enforce procedural controls, such as mandatory dual-approval workflows and call-back confirmation for critical access changes.
Run quarterly phishing simulations and social engineering drills. Test not just employees, but also contractors and vendors. Awareness training must move beyond compliance exercises and focus on real-world threat behaviours.
An incident response plan is only helpful if it is actionable under pressure. Conduct tabletop exercises that simulate modern attack types—impersonation, insider threats, lateral movement—and assess decision-making chains.
Solutions that rely solely on malware signatures will miss threats like this. Invest in behaviour-based detection tools that can flag anomalous access patterns, credential misuse, or unauthorised escalation even when no malicious software is present.
Make it culturally acceptable to challenge and verify. Employees and partners must feel empowered to stop a process—even one that seems routine—if something feels off. This cannot be mandated; it must be modelled from the top.
Treat cybersecurity failure as a material financial risk. This means integrating cyber scenarios into business continuity planning, financial forecasting, and insurance coverage. Quantify the cost of outages and model their impact on shareholder value.
M&S is likely to face parliamentary scrutiny in the coming months, and this may lead to broader regulatory consequences for supply chain accountability in the retail sector. Insurers, auditors, and risk committees will take a far greater interest in social engineering defence and third-party verification protocols. As similar impersonation attacks continue to rise across the UK market, leadership teams will be under pressure to demonstrate proactive, not reactive, cyber governance.
| Company | Resource Name | URL |
|---|---|---|
| The Global Herald | Marks & Spencer Chair Discusses Cyber Attack That Aimed to Disrupt Business | https://theglobalherald.com/news/marks-spencer-chair-discusses-cyber-attack-that-aimed-to-disrupt-business/ |
| Irish Examiner | M&S says April cyberattack caused by 'sophisticated impersonation' of third-party | https://www.irishexaminer.com/business/companies/arid-41665775.html |
| ITV | M&S boss admits more could have been done to prevent 'traumatic' cyber attack | https://www.itv.com/news/2025-07-08/m-and-s-boss-admits-more-could-have-been-done-to-prevent-traumatic-cyber-attack |
| Silicone Republic | M&S says Dragon Force threat group behind April cyberattack | https://www.siliconrepublic.com/enterprise/ms-marks-spencer-cyberattack-uk-dragon-force-parliament-8-july |