Marks and Spencer (M&S) suffered a **significant ransomware attack** over the Easter weekend, with repercussions lasting over two months. The attack **suspended all online orders** and **disabled contactless payments** in physical stores, severely disrupting operations. While customer data was accessed, M&S confirmed that **payment details and passwords remained secure**. However, the financial fallout was catastrophic—**£300 million was wiped from its market value**, marking it as the **most financially damaging cyber attack in UK retail history**. Recovery has been slow, with some online ordering and delivery services still unavailable weeks later. The attack not only crippled revenue streams but also eroded customer trust, risking long-term reputational harm. The incident aligns with a broader trend of retailers being targeted for their vast customer databases and critical payment infrastructure, amplifying operational and financial vulnerabilities.
Source: https://www.raconteur.net/technology/which-uk-retailers-have-been-hit-by-cyber-attacks-in-2025
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar5392253090725",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'All online customers, in-store '
'contactless payment users',
'industry': 'Retail (Food, Clothing, Home)',
'location': 'UK',
'name': 'Marks and Spencer (M&S)',
'size': 'Large (300+ stores, ~70,000 employees)',
'type': 'Retailer'},
{'customers_affected': 'Members (names/contact '
'details), in-store shoppers '
'(empty shelves)',
'industry': 'Retail (Supermarkets, Funeralcare, Legal '
'Services)',
'location': 'UK',
'name': 'The Co-operative Group',
'size': 'Large (2,000+ stores, ~56,000 employees)',
'type': 'Member-owned Retailer'},
{'customers_affected': 'Minimal (no data breach)',
'industry': 'Retail (Luxury Goods)',
'location': 'London, UK',
'name': 'Harrods',
'size': 'Large (1 store, ~4,000 employees)',
'type': 'Luxury Department Store'},
{'customers_affected': 'Help desk contacts '
'(names/contact details)',
'industry': 'Sporting Goods/Retail',
'location': 'Global (UK operations affected)',
'name': 'Adidas',
'size': 'Large (~69,000 employees worldwide)',
'type': 'Multinational Corporation'},
{'customers_affected': 'In-store shoppers (payment '
'disruptions)',
'industry': 'Fashion/Retail',
'location': 'Global (UK stores affected)',
'name': 'H&M',
'size': 'Large (~155,000 employees worldwide)',
'type': 'Multinational Retailer'}],
'attack_vector': ['Third-party customer-service provider (Adidas)',
'Unauthorised access attempt (Harrods)',
'Ransomware (M&S, linked to DragonForce RaaS)',
'Potential exploitation of smart building systems/IoT '
'(speculative for H&M/Co-op)',
'Unguarded network sockets or physical access (theoretical, '
'per RICS)'],
'customer_advisories': ['Apologies and service updates (H&M, M&S, Co-op)',
'Data breach notifications (Adidas, Co-op)'],
'data_breach': {'data_exfiltration': ['Yes (Adidas, Co-op, M&S)',
'No evidence (Harrods)',
None],
'personally_identifiable_information': ['Yes (names, contact '
'details for '
'Adidas/Co-op)',
'Unspecified (M&S)'],
'sensitivity_of_data': ['Low (Adidas, Co-op: PII but no '
'financial data)',
None],
'type_of_data_compromised': ['Customer names/contact details '
'(Adidas, Co-op)',
'Customer information (M&S, no '
'specifics)',
None]},
'date_detected': ['2024-04-01 (M&S, Easter weekend)',
'2024-05-01 (Harrods)',
'2024-05-XX (Adidas)',
'2024-04-XX (Co-operative Group)',
'2024-06-XX (H&M, early June)'],
'date_publicly_disclosed': ['2024-04-XX (M&S, post-Easter)',
'2024-05-01 (Harrods)',
'2024-05-XX (Adidas)',
'2024-04-XX (Co-operative Group)',
'2024-06-XX (H&M, not officially confirmed as '
'cyber attack)'],
'date_resolved': ['2024-06-XX (M&S, partial recovery ongoing)',
'2024-06-XX (H&M, within 2 hours for most stores)'],
'description': 'A wave of cyber attacks targeted major UK retailers, '
'including Marks and Spencer (M&S), the Co-operative Group, '
'Harrods, Adidas, and H&M, between April and June 2024. The '
'attacks disrupted ecommerce, payments processing, and '
'in-store operations, with some incidents linked to the '
'DragonForce ransomware-as-a-service group. The financial and '
'reputational impacts were severe, with M&S alone losing £300m '
"in market value. Retailers' large organizational footprints "
'and customer data made them prime targets, exacerbated by '
'vulnerabilities in smart building systems and IoT devices.',
'impact': {'brand_reputation_impact': ['High (M&S, Co-op, H&M)',
'Moderate (Harrods, Adidas)'],
'customer_complaints': ['Likely (M&S, Co-op, H&M)', None],
'data_compromised': ['Customer names/contact details (Adidas, '
'Co-op)',
'Customer information (M&S, no payment '
'details/passwords)',
'None confirmed (Harrods, H&M)'],
'downtime': ['>2 months (partial recovery for M&S)',
'Minimal (Harrods)',
'2 hours (H&M, some locations)',
'Short-term (Co-op)',
None],
'financial_loss': ['£300m market value loss (M&S)',
'Up to £73m revenue loss per minute for payment '
'outages (industry estimate)',
None,
None,
None],
'identity_theft_risk': ['Low (Adidas, Co-op: names/contact details '
'only)',
None],
'operational_impact': ['Suspended online orders, no contactless '
'payments (M&S)',
'Empty shelves (Co-op)',
'In-store payment failures (H&M)',
'Internet access paused in stores (Harrods)',
'None (Adidas)'],
'payment_information_risk': ['None (all incidents)'],
'revenue_loss': ['Significant (M&S, Co-op, H&M during outage)',
None],
'systems_affected': ['Ecommerce, contactless payments (M&S)',
'Internal IT systems, internet access '
'(Harrods)',
'Payments systems (H&M, in-store)',
'IT systems (Co-op, leading to empty shelves)',
'Third-party customer service (Adidas)']},
'initial_access_broker': {'entry_point': ['Third-party vendor (Adidas)',
'Potential physical access '
'(unguarded sockets/IoT for others)',
None],
'high_value_targets': ['Customer databases (M&S, '
'Adidas, Co-op)',
'Payment systems (H&M, M&S)',
None]},
'investigation_status': ['Ongoing (M&S)',
'Completed (Adidas, Co-op, Harrods)',
'Unconfirmed (H&M)'],
'lessons_learned': 'Retailers must secure third-party vendors, smart building '
'systems, and IoT devices to reduce attack surfaces. Rapid '
'containment (e.g., Co-op’s IT shutdown) can mitigate '
'ransomware deployment. Public-facing disruptions (e.g., '
'payment outages) erode customer trust and revenue, '
'highlighting the need for resilient backup systems and '
'transparent communication.',
'motivation': ['Financial gain (ransomware, data theft)',
'Disruption (operational impact)',
'Data exfiltration (customer PII)'],
'post_incident_analysis': {'corrective_actions': ['Vendor security audits '
'(Adidas)',
'IT system segmentation '
'(Co-op, Harrods)',
'Offline payment fallback '
'(H&M, M&S)',
None],
'root_causes': ['Third-party vendor '
'vulnerabilities (Adidas)',
'Insecure IoT/building systems '
'(theoretical for Co-op/H&M)',
'RaaS proliferation (DragonForce '
'for M&S)',
'Lack of payment system redundancy '
'(H&M, M&S)']},
'ransomware': {'data_encryption': ['Likely (M&S)', None],
'data_exfiltration': ['Yes (M&S customer data)', None],
'ransom_demanded': ['Likely (M&S, linked to DragonForce)',
None],
'ransomware_strain': ['DragonForce (suspected for M&S)']},
'recommendations': ['Implement zero-trust architecture for third-party '
'access.',
'Audit and segment IoT/building management systems from '
'critical networks.',
'Develop playbooks for ransomware attacks, including '
'offline payment contingencies.',
'Enhance employee training on physical security (e.g., '
'unguarded network sockets).',
'Conduct regular red-team exercises simulating '
'supply-chain and RaaS attacks.'],
'references': [{'source': 'Dynatrace & FreedomPay Report'},
{'source': 'Royal Institution of Chartered Surveyors (RICS)',
'url': 'https://www.theguardian.com/technology/2024/may/XX/rics-cyber-attacks-smart-buildings'},
{'source': 'M&S Public Disclosure'},
{'source': 'Harrods Statement (1 May 2024)'},
{'source': 'Adidas Data Breach Notice (May 2024)'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (Adidas, '
'Co-op, M&S for PII '
'exposure)',
None],
'regulatory_notifications': ['Likely (ICO for '
'Adidas, Co-op, M&S)',
None]},
'response': {'communication_strategy': ['Public disclosures (all)',
'Customer apologies (H&M, M&S)',
None],
'containment_measures': ['Restricted internal IT systems, paused '
'internet access (Harrods)',
'Shut down parts of IT systems (Co-op)',
'Suspended online orders (M&S)',
None],
'incident_response_plan_activated': ['Yes (M&S, Harrods, Co-op)',
None],
'recovery_measures': ['Ongoing (M&S)',
'Quick recovery (H&M, Harrods)',
None],
'remediation_measures': ['Partial restoration of online services '
'(M&S)',
None],
'third_party_assistance': [None,
'Likely (M&S, Co-op for forensic '
'investigation)']},
'stakeholder_advisories': ['Market updates (M&S £300m loss)'],
'threat_actor': ['DragonForce (suspected for M&S and possibly others)'],
'title': 'Series of Cyber Attacks on UK Retailers (April–June 2024)',
'type': ['Ransomware (M&S)',
'Cyber Attack (Harrods, Co-op)',
'Data Breach (Adidas)',
'IT Outage (H&M, suspected cyber attack)'],
'vulnerability_exploited': ['Third-party vendor security (Adidas)',
'Smart building systems (IoT, access control, '
'CCTV, HVAC) (theoretical)']}