Marks & Spencer (M&S) suffered a **cyberattack in April**, attributed to the **DragonForce ransomware group**, causing severe operational and financial disruptions. The attack **disabled its app and online shopping platform**, leading to **lost sales in Fashion, Home & Beauty**, while **Food sales were hit by stock shortages and manual process inefficiencies**, incurring additional waste and logistics costs. The company expects a **£300 million (~$402M) hit to annual profits**, excluding direct incident costs, with disruptions persisting into **July**. Customer data may have been compromised, though not yet leaked on darknet extortion sites. M&S is claiming up to **£100M from insurance** and accelerating IT infrastructure upgrades. The attack coincided with similar incidents at **Co-op and Harrods**, though no official linkage has been confirmed. Share prices initially dipped but rebounded slightly, though remain **8.8% below pre-attack levels**.
Source: https://therecord.media/marks-spencer-cyberattack-hit-to-profits-300m
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar19103519112725",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially all online/app '
'users (number not specified)',
'industry': 'Retail (Food, Fashion, Home, Beauty)',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'size': 'Large (FTSE 100 constituent)',
'type': 'Publicly Traded Company'}],
'customer_advisories': {'data_compromise_warning': 'Issued (potential risk '
'acknowledged)'},
'data_breach': {'data_exfiltration': {'evidence': None,
'status': 'Claimed by threat actor (not '
'yet leaked on darknet)'},
'personally_identifiable_information': 'Potential '
'(unconfirmed)',
'type_of_data_compromised': 'Potentially customer data '
'(claimed by DragonForce, '
'unconfirmed)'},
'date_detected': '2024-04-01T00:00:00Z',
'date_publicly_disclosed': '2024-04-03T00:00:00Z',
'description': 'Marks & Spencer (M&S) suffered a cyberattack in April 2024, '
'leading to significant operational disruptions, financial '
'losses, and potential customer data compromise. The incident, '
'attributed to the DragonForce ransomware group, disrupted '
"M&S's app, online shopping, and supply chain operations, with "
'effects expected to persist into July. The company '
'anticipates a £300 million ($402 million) hit to annual '
'profits, excluding direct incident-related costs. While M&S '
'has not confirmed or denied paying a ransom, the attackers '
'have not yet leaked the allegedly compromised data on their '
'darknet site. The incident has prompted accelerated '
'investments in infrastructure upgrades and supply chain '
'systems.',
'impact': {'brand_reputation_impact': {'customer_trust': None,
'share_price': {'five_day_change': '+5%',
'immediate_after_disclosure': '+1.9% '
'(Wednesday)',
'since_attack_confirmation': '-8.8% '
'from '
'pre-attack '
'high'}},
'data_compromised': {'details': None,
'status': 'Potentially compromised (claimed '
'by DragonForce, not yet leaked)'},
'downtime': {'app_online_shopping': 'April–July 2024 (ongoing as '
'of disclosure)',
'supply_chain': 'April–July 2024 (improving but not '
'fully resolved)'},
'financial_loss': {'conversion_rate_impact': None,
'first_quarter_costs': ['Additional waste',
'Logistics costs '
'(manual processes)',
'Reduced availability'],
'insurance_claim': 'Up to £100 million (maximum '
'policy claim)',
'operating_profit_impact': '£300 million '
'(before cost '
'mitigation, '
'insurance, and '
'trading actions)',
'revenue_loss': None,
'second_quarter_costs': ['Increased stock '
'management',
'Online disruption '
'(June–July)']},
'identity_theft_risk': 'Potential (if customer data was '
'exfiltrated)',
'operational_impact': {'fashion_home_beauty': 'Online sales '
'halted; stores '
'resilient',
'food_sales': 'Reduced availability '
'(improving)',
'stock_management': 'Disrupted (Q1–Q2 2024)',
'waste_logistics': 'Increased costs due to '
'manual processes'},
'systems_affected': ['App (unavailable)',
'Online shopping platform (paused)',
'Supply chain systems',
'Store stocking processes',
'Manual logistics operations']},
'initial_access_broker': {'data_sold_on_dark_web': {'status': 'Not yet listed '
'(as of '
'disclosure)',
'threat_actor_claim': 'DragonForce'},
'high_value_targets': ['Customer data (claimed)',
'Supply chain systems']},
'investigation_status': {'internal': 'Ongoing (accelerated infrastructure '
'upgrades)',
'law_enforcement': 'Ongoing (UK police investigating '
'potential links to other retail '
'attacks)'},
'motivation': ['Financial Gain', 'Extortion'],
'post_incident_analysis': {'corrective_actions': {'implemented': None,
'planned': ['Infrastructure '
'upgrades',
'Network '
'connectivity '
'improvements',
'Supply chain '
'system '
'enhancements']}},
'ransomware': {'data_encryption': {'details': None,
'status': 'Likely (given ransomware '
'attribution)'},
'data_exfiltration': {'details': None,
'status': 'Claimed (not yet published)'},
'ransomware_strain': 'DragonForce'},
'references': [{'date_accessed': '2024-05-29T00:00:00Z',
'source': 'Marks & Spencer (M&S) Statement to London Stock '
'Exchange'},
{'date_accessed': '2024-05-29T00:00:00Z',
'source': 'Reuters / Media Reports on UK Retail '
'Cyberattacks'}],
'response': {'communication_strategy': {'public_statements': ['London Stock '
'Exchange '
'filing '
'(Wednesday)',
'Customer '
'advisories '
'(data '
'compromise '
'warning)'],
'transparency': 'Partial (no '
'confirmation/denial '
'of ransom payment)'},
'containment_measures': ['Pausing online shopping',
'Manual logistics processes'],
'incident_response_plan_activated': True,
'law_enforcement_notified': {'details': None,
'status': 'UK police investigating '
'(as part of broader '
'retail cyberattacks)'},
'recovery_measures': {'planned': ['Restart and ramp up online '
'operations (June–July 2024)',
'Upgrade infrastructure and '
'network connectivity',
'Enhance store/colleague '
'technology',
'Improve supply chain systems'],
'status': 'Ongoing (accelerated investment '
'phase)'}},
'stakeholder_advisories': {'investors': 'Notified via London Stock Exchange '
'filing (profit impact disclosure)'},
'threat_actor': 'DragonForce (ransomware group)',
'title': 'Marks & Spencer (M&S) Cyberattack and Ransomware Incident (April '
'2024)',
'type': ['Cyberattack',
'Ransomware',
'Supply Chain Disruption',
'Data Breach (Potential)']}