Marks & Spencer (M&S) suffered a **sophisticated ransomware attack** on **17 April**, detected two days later, forcing its **online store to shut down for nearly seven weeks**. The attack, linked to **DragonForce ransomware specialists** and the hacking group **Scattered Spider**, targeted M&S’s **key online clothing distribution center in Castle Donington**, which remained offline during recovery. The retailer described the incident as **‘traumatic’**, likening it to an **‘out-of-body experience’**, with **gross lost profits estimated at £300 million** (partially offset by a £100m+ insurance claim). The attack involved **impersonation and a third-party contractor**, bypassing M&S’s **£100m+ cybersecurity investments** and **80-person prevention team**. While M&S reported the breach to the **NCSC, FBI, NCA, and Met Police**, it refused to confirm ransom payments, stating the **‘damage was already done’**. The company was still in **‘rebuild mode’** months later, with full online operations expected to resume by the end of the month.
Source: https://www.theguardian.com/business/2025/jul/08/m-and-s-boss-cyber-attacks-archie-norman
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar2902029102225",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'retail (clothing, food, home goods)',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'size': 'large (FTSE 100 company)',
'type': 'retailer'}],
'attack_vector': ['impersonation',
'third-party contractor compromise',
'sophisticated intrusion'],
'data_breach': {'data_encryption': ['ransomware encryption of systems']},
'date_detected': '2024-04-19',
'description': 'A sophisticated ransomware attack on Marks & Spencer (M&S) '
'forced the closure of its online store for nearly seven '
'weeks. The attack, attributed to the DragonForce ransomware '
'group and linked to the Scattered Spider hacking collective, '
'involved impersonation and a third-party contractor. M&S '
"reported the incident to the UK's National Cyber Security "
'Centre (NCSC) and collaborated with law enforcement, '
'including the FBI, National Crime Agency, and Metropolitan '
"Police. The attack disrupted operations at M&S's key online "
'clothing distribution center in Castle Donington, '
'Leicestershire, causing significant financial and operational '
'impact. M&S had invested heavily in cybersecurity prior to '
'the attack but acknowledged the difficulty of preventing '
'determined threat actors in large organizations with many '
'workers and contractors.',
'impact': {'brand_reputation_impact': ['significant (described as '
"'traumatic')",
'public disclosure of vulnerabilities'],
'downtime': '~7 weeks (online store closure)',
'financial_loss': '£300m in gross lost profits (estimated)',
'operational_impact': ["trauma described as 'out of body "
"experience'",
'rebuild mode ongoing',
'distribution center still offline as of '
'disclosure',
'reliance on pen-and-paper processes'],
'revenue_loss': '£300m in gross lost profits (estimated)',
'systems_affected': ['online store (closed for ~7 weeks)',
'online clothing distribution center (Castle '
'Donington, Leicestershire)']},
'initial_access_broker': {'entry_point': ['third-party contractor',
'impersonation'],
'high_value_targets': ['online clothing '
'distribution center (Castle '
'Donington)']},
'investigation_status': "ongoing (as of disclosure; M&S in 'rebuild mode')",
'lessons_learned': ['Even significant cybersecurity investments (hundreds of '
'millions) may not prevent determined attacks in large '
'organizations.',
'Third-party contractors can be a critical vulnerability.',
"Rapid detection (e.g., Co-op's hours vs. M&S's days) "
'mitigates impact.',
"Segregated 'break glass' systems (Co-op's approach) are "
'more sustainable than pen-and-paper fallbacks.',
'Mandatory reporting of major cyber-attacks (beyond '
'personal data breaches) could improve collective '
'defense.'],
'motivation': ['financial gain (ransom demand)', 'disruption'],
'post_incident_analysis': {'corrective_actions': ['Ongoing system rebuild',
'Collaboration with law '
'enforcement (FBI, NCA, Met '
'Police)',
'Review of third-party '
'access controls',
'Potential advocacy for '
'mandatory attack reporting '
'(NCSC)'],
'root_causes': ['Sophisticated impersonation and '
'third-party compromise',
'Determined threat actor '
'exploiting complex organizational '
'structure',
'Potential delays in detection '
'(attack began 17 April, detected '
'19 April)']},
'ransomware': {'data_encryption': True,
'ransom_demanded': ["unspecified (referred to as 'very large "
"sum' by MP David Davis for an unnamed "
'company)',
'M&S declined to comment'],
'ransom_paid': ["M&S: no confirmation (stated 'not discussing "
"details')",
'unnamed UK company: paid (per MP David '
'Davis)'],
'ransomware_strain': ['DragonForce']},
'recommendations': ['Mandate reporting of major cyber-attacks to NCSC (per '
'Archie Norman).',
'Invest in detection systems for faster response (e.g., '
"Co-op's hours-long detection).",
'Develop segregated backup systems for critical processes '
"(Co-op's 'break glass' approach).",
'Enhance third-party risk management (given impersonation '
'via contractor).',
'Evaluate cyber insurance coverage (Co-op chose detection '
'over insurance; M&S relying on >£100m claim).'],
'references': [{'source': 'The Guardian',
'url': 'https://www.theguardian.com/business/2024/jun/11/marks-spencer-cyber-attack-online-store-archie-norman'},
{'source': 'UK Parliament Business and Trade Subcommittee on '
'Economic Security, Arms and Export Controls'}],
'regulatory_compliance': {'regulatory_notifications': ['reported to NCSC',
'mandatory reporting '
'of personal data '
'breaches to ICO '
'within 72 hours '
'(general '
'requirement)']},
'response': {'communication_strategy': ['transparency with MPs during '
'subcommittee hearing',
'no public disclosure of ransom '
'interactions'],
'containment_measures': ['isolation of affected systems',
'shutdown of online store',
'reliance on pen-and-paper processes'],
'enhanced_monitoring': ['invested hundreds of millions in '
'cybersecurity pre-attack',
'expanded prevention team to 80 staff'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['expected full online operations by end of '
'month (post-attack)',
'insurance claim of >£100m'],
'remediation_measures': ['ongoing rebuild of systems',
'collaboration with law enforcement'],
'third_party_assistance': ['National Cyber Security Centre '
'(NCSC)',
'FBI',
'National Crime Agency',
'Metropolitan Police',
'ransomware specialists '
'(unspecified)']},
'stakeholder_advisories': ['Advice to businesses: prepare to operate on '
'pen-and-paper (M&S) or segregated backup systems '
'(Co-op).'],
'threat_actor': ['DragonForce (ransomware group)',
'Scattered Spider (hacking collective)'],
'title': 'Ransomware Attack on Marks & Spencer (M&S)',
'type': ['ransomware', 'cyberattack', 'data breach']}