Marks & Spencer (M&S), one of Britain’s most prominent retailers, suffered a **ransomware attack** attributed to the hacking collective *Scattered Spider* using the *DragonForce encryptor*. The attack forced M&S to **shut down critical systems**, including its **website and app**, halting clothing and home orders for **six days** during peak summer demand. Some **food product availability** was also disrupted in stores. The incident caused **operational outages**, financial losses from lost sales, and reputational damage during a high-revenue period. Cybersecurity experts noted the group’s aggressive tactics, including **phishing, MFA bombing, and SIM swapping**, targeting IT help desks. The attack aligns with Scattered Spider’s history of high-profile ransomware campaigns, such as those against *Caesars Entertainment* and *MGM Resorts* in 2023. The **National Cyber Security Centre (NCSC)**, **National Crime Agency (NCA)**, and **Metropolitan Police’s Cyber Crime Unit** are investigating, underscoring the attack’s severity and potential broader economic impact on the UK retail sector.
Source: https://www.insurancejournal.com/news/international/2025/04/30/821996.htm
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar1662016090825",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Retail (Food)',
'Funeral Care',
'Legal Services',
'Insurance'],
'location': 'United Kingdom',
'name': 'Co-op Group',
'size': '2,300+ food stores nationwide',
'type': 'Retailer (Member-Owned Cooperative)'},
{'industry': 'Retail (Clothing, Home, Food)',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'type': 'Public Retailer'}],
'attack_vector': ['Phishing',
'MFA Bombing',
'SIM Swapping',
'Exploitation of IT Help Desks'],
'customer_advisories': ['Public statements confirming operational status '
'(Co-op)',
'No specific advisories mentioned (M&S)'],
'data_breach': {'data_encryption': ['Yes (M&S servers encrypted)']},
'date_publicly_disclosed': '2024-06-19',
'description': 'Britain’s Co-op Group disclosed a hacking attempt on its '
'systems, marking the second high-profile cyber attack on a '
'major UK retailer in recent weeks, following an ongoing '
'ransomware-related incident at Marks & Spencer (M&S). The '
'Co-op shut down some back-office and call center operations '
'but confirmed that stores, online operations, and funeral '
'homes remained operational. The M&S attack, attributed to the '
"'Scattered Spider' hacking collective using the DragonForce "
'encryptor, disrupted clothing/home orders and some food '
'product availability. The group is known for aggressive '
'tactics, including phishing, MFA bombing, and SIM swapping. '
'UK authorities, including the NCSC, NCA, and Metropolitan '
'Police, are investigating both incidents.',
'impact': {'brand_reputation_impact': ['Potential reputational damage (both '
'companies)',
'Disruption during peak summer demand '
'(M&S)'],
'downtime': ['Partial (Co-op back-office/call centers)',
'6+ days (M&S clothing/home orders)'],
'operational_impact': ['Disruption to call centers (Co-op)',
'Paused clothing/home orders (M&S)',
'Limited food product availability (M&S)'],
'systems_affected': ['Back-office systems (Co-op)',
'Call centers (Co-op)',
'Servers (M&S, encrypted)',
'Online ordering systems (M&S)',
'App-based ordering (M&S)']},
'initial_access_broker': {'entry_point': ['IT help desks (via social '
'engineering)',
None],
'high_value_targets': ['M&S servers (encrypted)',
None]},
'investigation_status': ['Ongoing (NCSC, NCA, Metropolitan Police involved)'],
'motivation': ['Financial Gain (ransomware)'],
'post_incident_analysis': {'root_causes': ['Social engineering (MFA bombing, '
'SIM swapping, phishing)',
None]},
'ransomware': {'data_encryption': ['Yes (M&S)'],
'ransom_demanded': ['Yes (M&S: alleged, amount undisclosed)',
None],
'ransomware_strain': ['DragonForce (alleged for M&S)']},
'references': [{'date_accessed': '2024-06-19', 'source': 'Reuters'},
{'source': 'BleepingComputer'},
{'source': 'Darktrace (Nathaniel Jones, VP of Security & AI '
'Strategy)'}],
'regulatory_compliance': {'legal_actions': ['U.S. prosecutors charged 5 '
'alleged Scattered Spider members '
'(November 2023)']},
'response': {'communication_strategy': ['Public statements (both companies)',
None],
'containment_measures': ['Shut down back-office/call center '
'systems (Co-op)',
'Offline systems (M&S)'],
'incident_response_plan_activated': ['Yes (Co-op: proactive '
'steps)',
'Yes (M&S: systems taken '
'offline)'],
'law_enforcement_notified': ['Yes (M&S: Metropolitan Police '
'investigating)',
'Likely (Co-op: not explicitly '
'stated)'],
'recovery_measures': ['Working to reduce disruption (Co-op)',
None],
'third_party_assistance': ['National Cyber Security Centre '
'(NCSC)',
'National Crime Agency (NCA)',
'Metropolitan Police Cyber Crime '
'Unit']},
'threat_actor': ['Scattered Spider (alleged for M&S)'],
'title': 'Cyber Attack on Co-op Group and Ongoing Ransomware Incident at '
'Marks & Spencer (M&S)',
'type': ['Unauthorized Access Attempt', 'Ransomware Attack']}