Marks & Spencer (M&S) suffered a severe cyber-attack linked to the hacking collective *Scattered Spider*, causing widespread operational disruptions. The attack forced the shutdown of its online shop for nearly a week, halting all customer orders and resulting in a **£650 million drop in stock market value**. Critical systems were compromised, including automated stock management, leading to **product shortages on shelves**, and disruptions to its **loyalty scheme and gift card payments**. The company also **paused all hiring processes**, removing over 200 job listings from its website due to compromised recruitment systems. While stores remained open, the incident severely impacted revenue, supply chain efficiency, and customer trust. The National Cyber Security Centre (NCSC) and Metropolitan Police are investigating, with concerns that the attack could exploit vulnerabilities in **SAP systems**—shared by other retailers—potentially enabling further breaches across the sector.
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar843090225",
"linkid": "marks-and-spencer",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'None suspected (per Harrods '
'statement)',
'industry': 'Retail',
'location': 'UK (Knightsbridge flagship, H beauty, '
'airport outlets)',
'name': 'Harrods',
'type': 'Luxury Department Store'},
{'customers_affected': 'Potential disruption to loyalty '
'scheme and gift card users; no '
'confirmed data breach',
'industry': 'Retail',
'location': 'UK',
'name': 'Marks & Spencer (M&S)',
'size': '~65,000 employees',
'type': 'Retailer'},
{'customers_affected': 'None reported',
'industry': 'Retail',
'location': 'UK',
'name': 'Co-op',
'type': 'Retailer'}],
'customer_advisories': ['Harrods: no action required per statement; '
'M&S/Co-op: no public customer advisories'],
'data_breach': {'personally_identifiable_information': ['M&S: no '
'confirmation; WH '
'Smith precedent '
'(employee data '
'breached in 2023) '
'mentioned as '
'context'],
'type_of_data_compromised': ['Unconfirmed; potential internal '
'system data (M&S/Co-op)',
'Harrods: no evidence of data '
'access']},
'date_detected': 'Early in the week (exact date unspecified, likely late '
'April/early May 2024 based on context)',
'date_publicly_disclosed': '2024-05-02 (Harrods statement; M&S and Co-op '
'incidents disclosed earlier in the week)',
'description': 'Harrods, Marks & Spencer (M&S), and Co-op were targeted in '
'separate but potentially linked cyber-attacks. Harrods shut '
'down some systems but continued operations in stores and '
'online. M&S suffered significant disruptions, including a '
'£650m drop in stock market value, halted online orders, gaps '
'in store shelves, and paused hiring due to compromised '
'recruitment systems. Co-op also shut down some internal '
'systems and warned staff about online conferencing security. '
'The attacks may exploit vulnerabilities in shared systems '
'like SAP. The National Cyber Security Centre (NCSC) and law '
'enforcement are investigating potential links between the '
'incidents.',
'impact': {'brand_reputation_impact': ['Potential reputational damage for all '
'three retailers, especially M&S due '
'to prolonged disruptions'],
'data_compromised': ['Unconfirmed for Harrods; M&S and Co-op: '
'potential internal system data (no '
'confirmation of customer data breach)'],
'downtime': ['Harrods: partial (internet access restricted, some '
'systems down)',
'M&S: online shop down for ~1 week, ongoing '
'disruptions',
'Co-op: partial (internal systems)'],
'financial_loss': ['£650m wiped from M&S stock market value', None],
'operational_impact': ['Harrods: minimal (stores and website '
'operational)',
'M&S: severe (shelf gaps, hiring freeze, '
'200+ job postings removed)',
'Co-op: moderate (internal disruptions, '
'staff warnings)'],
'payment_information_risk': ['M&S: gift card payment disruptions '
'(no confirmation of theft)'],
'revenue_loss': ['M&S: significant (£650m market cap loss)', None],
'systems_affected': ['Harrods: restricted internet access at '
'sites, some systems shut down',
'M&S: online orders halted (~1 week), '
'automated stock systems, loyalty scheme, '
'gift card payments, recruitment systems (job '
'postings paused)',
'Co-op: internal systems shut down, online '
'conferencing security warnings']},
'initial_access_broker': {'high_value_targets': ['Potential SAP systems '
'(shared by M&S and Co-op)']},
'investigation_status': 'Ongoing (NCSC, Metropolitan Police, NCA involved)',
'recommendations': ['NCSC urges organizations to implement preventive '
'measures and robust incident response/recovery plans',
'Retailers using SAP systems advised to review security '
'postures'],
'references': [{'date_accessed': '2024-05-02',
'source': 'The Guardian',
'url': 'https://www.theguardian.com/business/2024/may/02/harrods-hit-by-cyber-attack-days-after-marks-spencer-and-co-op'},
{'source': 'Sky News'}],
'regulatory_compliance': {'regulatory_notifications': ['NCSC engaged with M&S '
'and Co-op']},
'response': {'communication_strategy': ['Harrods: public statement (no '
'customer action required)',
"M&S: updates on job site ('working "
"hard to be back online')",
'Co-op: internal staff warnings'],
'containment_measures': ['Harrods: restricted internet access, '
'shut down some systems',
'M&S: halted online orders, paused '
'hiring/recruitment systems',
'Co-op: shut down internal systems, '
'staff warnings for online '
'conferencing'],
'incident_response_plan_activated': ['Yes (all three retailers)'],
'law_enforcement_notified': ['Yes (Metropolitan Police and NCA '
'for M&S)'],
'recovery_measures': ['M&S: working to restore online shop and '
'recruitment systems'],
'third_party_assistance': ['NCSC (assisting M&S and Co-op)',
'National Crime Agency (NCA) and '
'Metropolitan Police Cybercrime Unit '
'(M&S investigation)']},
'stakeholder_advisories': ['NCSC warns retailers to bolster defenses; no '
'specific stakeholder advisories detailed'],
'threat_actor': ['Scattered Spider (linked to M&S attack)',
'Unidentified actors for Harrods and Co-op'],
'title': 'Cyber-Attack on Harrods, Marks & Spencer (M&S), and Co-op',
'type': ['Unauthorized Access Attempt',
'Cyber-Attack',
'Potential Data Breach (unconfirmed for Harrods)',
'System Disruption'],
'vulnerability_exploited': ['Potential SAP system vulnerabilities (shared by '
'M&S and Co-op)']}