Marks & Spencer (M&S) experienced a ransomware attack in April, linked to the Scattered Spider hacking collective using DragonForce ransomware. The attack, which was highly sophisticated and involved social engineering through a third party, compromised the retailer's systems significantly. M&S had to shut down large parts of its systems to prevent further damage, heavily affecting areas such as online shopping. The attack was so severe that it was described as an attempt to destroy the business. The retailer is still in the process of securely bringing these systems back up.
Source: https://www.infosecurity-magazine.com/news/ms-chairman-declines-ransom-payment/
TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer
"id": "mar601070925",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail',
'location': 'UK',
'name': 'Marks & Spencer (M&S)',
'size': 'Large',
'type': 'Retailer'}],
'attack_vector': ['Social Engineering', 'Compromised Credentials'],
'date_detected': '2023-04-17',
'date_publicly_disclosed': '2023-07-08',
'description': 'Marks & Spencer (M&S) experienced a ransomware attack in '
'April, linked to the Scattered Spider hacking collective '
'using DragonForce ransomware infrastructure. The attack was '
'sophisticated and involved social engineering through a third '
'party, Tata Consultancy Services (TCS). M&S had to shut down '
'large parts of its systems to prevent further damage, '
'affecting online shopping and other areas.',
'impact': {'downtime': 'Significant',
'operational_impact': 'Business impairing',
'systems_affected': 'Online shopping and other areas'},
'initial_access_broker': {'entry_point': 'Compromised credentials from TCS'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of system segmentation and mandatory reporting '
'of cyber incidents',
'motivation': 'Ransom and extortion',
'post_incident_analysis': {'corrective_actions': 'Rebuilding systems and '
'improving segmentation',
'root_causes': 'Compromised credentials and lack '
'of system segmentation'},
'ransomware': {'ransomware_strain': 'DragonForce'},
'references': [{'date_accessed': '2023-07-08',
'source': 'UK Parliament hearing on July 8'}],
'regulatory_compliance': {'regulatory_notifications': 'NCSC'},
'response': {'communication_strategy': 'Media channels, including BBC',
'containment_measures': 'Shutting down systems',
'network_segmentation': 'Not heavily segmented',
'recovery_measures': 'Bringing systems back up securely',
'remediation_measures': 'Rebuilding systems',
'third_party_assistance': 'Professional intermediaries'},
'threat_actor': 'Scattered Spider (DragonForce)',
'title': 'Ransomware Attack on Marks & Spencer (M&S)',
'type': 'Ransomware',
'vulnerability_exploited': 'Compromised credentials from a third party (TCS)'}