Ransomware cyber

Marks & Spencer (M&S)

Sep 24, 2025 2 min read
Marks & Spencer (M&S)

Marks & Spencer (M&S), a major UK retailer, was targeted in a **ransomware attack** that disrupted its internal systems and locked employees out of critical files. The attack exploited vulnerabilities in enterprise backup strategies, highlighting the inadequacy of conventional cybersecurity measures when backups are not properly isolated. While the incident did not explicitly confirm data theft or financial loss, the operational disruption—including potential downtime, employee lockout, and reliance on negotiation with cybercriminals—underscores the attack’s severe impact on business continuity. The breach also raises broader concerns about the effectiveness of traditional backup solutions, as similar failures have occurred in other high-profile cases (e.g., Capital Health, NHS). The attack reinforces the need for offline, air-gapped storage to prevent encryption or deletion of backups, though such solutions introduce logistical and financial challenges.

Source: https://www.techradar.com/pro/security/unhackable-backup-storage-could-have-helped-in-the-m-s-hack-case-by-keeping-data-physically-offline-but-it-comes-at-a-cost

TPRM report: https://www.rankiteo.com/company/marks-and-spencer

"id": "mar0762307092425",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'retail',
                        'location': 'United Kingdom',
                        'name': 'Marks & Spencer (M&S)',
                        'size': 'large enterprise',
                        'type': 'retailer'}],
 'data_breach': {'data_encryption': ['critical employee files encrypted']},
 'description': 'Major UK retailer Marks & Spencer (M&S) was recently hit by a '
                'ransomware attack that disrupted internal systems and locked '
                'employees out of critical files. The incident underscores '
                'broader trends in cybercriminals targeting large '
                'organizations with ransomware, demanding payment to restore '
                'access. The attack could have been mitigated with isolated '
                "backups, though such 'unhackable' solutions (e.g., "
                'HyperBUNKER’s diode-based offline vault) introduce financial '
                'and logistical challenges. Traditional backup failures in '
                'similar cases (e.g., Capital Health, NHS) raise questions '
                'about the practicality of offline storage as a universal '
                'safeguard.',
 'impact': {'brand_reputation_impact': ['potential erosion of trust due to '
                                        'public disclosure of breach'],
            'operational_impact': ['employee lockout from critical files',
                                   'disruption of internal operations'],
            'systems_affected': ['internal systems',
                                 'critical employee files']},
 'initial_access_broker': {'high_value_targets': ['critical employee files',
                                                  'internal systems']},
 'lessons_learned': ['Isolated backups (e.g., offline/air-gapped storage) '
                     'could mitigate ransomware impact but introduce cost and '
                     'logistical challenges.',
                     'Traditional backup solutions remain vulnerable to '
                     'ransomware if not properly segmented or isolated.',
                     'Physical security of offline backups (e.g., risk of '
                     'theft) must be addressed alongside cybersecurity.',
                     'Enterprises may need layered backup strategies to '
                     'balance accessibility, cost, and resilience.'],
 'motivation': ['financial gain (ransom demand)', 'disruption of operations'],
 'post_incident_analysis': {'root_causes': ['Lack of isolated/offline backups '
                                            'allowing ransomware to encrypt '
                                            'critical files.',
                                            'Potential exploitation of '
                                            'network-connected backup '
                                            'vulnerabilities (historical '
                                            'context).']},
 'ransomware': {'data_encryption': True},
 'recommendations': ['Evaluate offline/air-gapped backup solutions (e.g., data '
                     'diodes) for critical data, weighing costs against risk '
                     'reduction.',
                     'Implement multi-layered backup strategies to avoid '
                     'single points of failure.',
                     'Assess physical security measures for offline storage to '
                     'mitigate theft risks.',
                     'Regularly test backup integrity and recovery procedures '
                     'to ensure effectiveness against ransomware.',
                     'Consider distributing encrypted backup units across '
                     'secure locations to reduce risk concentration.'],
 'references': [{'source': 'TechRadar Pro'},
                {'source': 'Blocksandfiles (interview with Matt Peterman and '
                           'Nino Eškić)'}],
 'title': 'Marks & Spencer Ransomware Attack Highlights Backup Strategy Flaws',
 'type': ['ransomware', 'data encryption'],
 'vulnerability_exploited': ['lack of isolated backups',
                             'potential network protocol/handshake exploits '
                             '(historical context)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.