Marks & Spencer (M&S), a leading British retail giant, suffered a **ransomware attack** attributed to the hacking group *Scattered Spider* (Octo Tempest) using the *DragonForce* ransomware. The attack disrupted **online orders, contactless payments, click-and-collect services, and gift card processing**, forcing the company to halt all digital sales—a channel generating ~£3.8M in daily revenue. The incident caused **supply chain disruptions**, leading to empty shelves, shortages of key products (e.g., Percy Pigs sweets), and the furlough of 200 warehouse workers. Over **£700M was wiped from M&S’s market value**, with shares dropping 6.5%, while recruitment froze (200+ job listings removed). The attack also triggered a **Metropolitan Police investigation**, though M&S has not confirmed data breaches. Systems remained offline for over a week, with no recovery timeline provided. The **NCSC warned retailers to bolster cybersecurity**, highlighting the attack’s severe operational and financial fallout.
Source: https://www.aljazeera.com/news/2025/5/2/harrods-ms-hit-by-cyberattack-what-happened-whos-behind-it
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar824090225",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Retail (Clothing, Food, Home Goods)',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'size': 'Large (FTSE 250 company)',
'type': 'Retailer'},
{'industry': 'Luxury Retail',
'location': 'London, United Kingdom',
'name': 'Harrods',
'size': 'Large (Privately held)',
'type': 'Department Store'}],
'attack_vector': ['Phishing',
'SIM Swapping',
'Multi-Factor Authentication (MFA) Fatigue'],
'customer_advisories': 'M&S warned of service disruptions; Harrods assured '
'normal operations',
'data_breach': {'data_encryption': 'Yes (DragonForce ransomware encrypted '
'files)'},
'date_detected': '2024-04-21',
'date_publicly_disclosed': '2024-04-21',
'description': 'British retail giants Marks & Spencer (M&S) and Harrods were '
'targeted in a cyberattack linked to the hacking group '
"Scattered Spider (Octo Tempest). The attack disrupted M&S's "
'online orders, contactless payments, click-and-collect '
'services, and supply chain operations, leading to empty '
'shelves, paused recruitment, and significant financial '
'losses. Harrods confirmed a cyberattack but stated operations '
"remained normal. The UK's Metropolitan Police and National "
'Cyber Security Centre (NCSC) are investigating. The attack is '
'suspected to involve the DragonForce ransomware strain, '
'deployed via phishing, SIM swapping, and MFA fatigue '
'techniques.',
'impact': {'brand_reputation_impact': 'Significant (6.5% share price drop; '
'publicized operational failures)',
'customer_complaints': 'Reported issues with payments, gift cards, '
'and returns',
'downtime': {'contactless_payments': 'Disrupted since 2024-04-21',
'online_orders': 'Ongoing since 2024-04-25 (as of '
'2024-05-02)',
'warehouse_operations': 'Partial shutdown (200 agency '
'workers sent home)'},
'financial_loss': '£700 million (M&S market value wiped; ~£3.8M '
'daily revenue loss from halted online sales)',
'operational_impact': ['Empty shelves in stores (e.g., Percy Pigs '
'sweets shortage)',
'Limited food availability',
'Paused recruitment (200+ job listings '
'removed)',
'Supply chain disruptions'],
'payment_information_risk': 'Potential (contactless payment '
'systems disrupted)',
'revenue_loss': '£3.8M/day (online sales halted; ~1/3 of '
'clothing/home revenue)',
'systems_affected': ['Online order processing',
'Contactless payments',
'Click-and-collect services',
'Warehouse logistics (Castle Donington)',
'Gift card/return processing',
'Job application portal']},
'initial_access_broker': {'entry_point': ['Phishing',
'SIM Swapping',
'MFA Fatigue'],
'high_value_targets': ['Payment systems',
'Warehouse logistics',
'Job application portal']},
'investigation_status': 'Ongoing (Metropolitan Police and NCSC investigating '
'as of 2024-04-30)',
'motivation': 'Financial Gain (Ransomware)',
'post_incident_analysis': {'root_causes': ['Phishing vulnerabilities',
'MFA fatigue exploits',
'Lack of segmentation '
'(warehouse/retail systems '
'impacted)']},
'ransomware': {'data_encryption': 'Yes', 'ransomware_strain': 'DragonForce'},
'recommendations': ['Retailers urged to enhance cybersecurity (NCSC advisory)',
'Consumers advised to monitor bank activity and update '
'passwords',
'Multi-Factor Authentication (MFA) hardening recommended'],
'references': [{'source': 'Al Jazeera'},
{'source': 'The Guardian (Secureworks interview)'},
{'source': 'UK National Cyber Security Centre (NCSC)'}],
'regulatory_compliance': {'regulatory_notifications': 'NCSC advised retailers '
'to tighten '
'cybersecurity; '
'consumers urged to '
'check bank activity'},
'response': {'communication_strategy': ['Initial public disclosure '
'(2024-04-21)',
'Limited updates (last statement on '
'2024-04-25)',
'Harrods assured customers of normal '
'operations'],
'containment_measures': ['Online orders suspended',
'Job listings removed',
'Affected systems isolated'],
'incident_response_plan_activated': 'Yes (Systems taken offline '
'as precaution)',
'law_enforcement_notified': 'Yes (Metropolitan Police and NCSC '
'investigating)',
'third_party_assistance': 'Yes (Cybersecurity experts engaged by '
'Harrods)'},
'stakeholder_advisories': 'NCSC urged retailers to tighten cybersecurity; no '
'specific advisories from M&S/Harrods',
'threat_actor': 'Scattered Spider (Octo Tempest)',
'title': 'Ransomware Attack on Marks & Spencer and Harrods by Scattered '
'Spider',
'type': ['Ransomware', 'Cyberattack']}