Marks & Spencer (M&S), a major British retailer, suffered a **cyberattack attributed to the ScatteredSpider hacking group**, resulting in **widespread outages across its physical stores and online platform**. The attack disrupted core business operations, leading to **significant revenue loss** due to downtime in both in-store and digital sales channels. The incident also triggered a **7% drop in M&S’s share price**, translating to millions in financial losses from lost transactions, operational halts, and reputational damage. The attack leveraged **ransomware tactics**, holding the retailer’s systems hostage and directly impacting customer-facing services—a critical vulnerability for businesses reliant on continuous revenue streams. Security experts highlight the **high cost of operational downtime in retail**, amplifying the attackers’ leverage for extortion. While the full scope of data compromise remains undisclosed, the disruption underscores the **severe financial and reputational risks** posed by targeted cyber incidents in the sector. The NCSC and cybersecurity leaders have warned that such attacks are increasingly sophisticated, exploiting AI-driven social engineering to breach networks, with retailers being prime targets due to their vast customer data repositories.
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar855090225",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Harrods',
'type': 'Luxury Department Store'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'type': 'Retailer'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Co-Op',
'type': 'Supermarket Chain'}],
'attack_vector': ['Social Engineering',
'Unauthorized System Access',
'Potential Ransomware'],
'customer_advisories': ['Update passwords and monitor financial activity for '
'signs of fraud.',
'Watch for scams exploiting recent breaches.'],
'description': 'Three major British retailers—Harrods, Marks & Spencer (M&S), '
'and Co-Op—have been hit by cyberattacks in quick succession. '
'The M&S incident is allegedly linked to the ScatteredSpider '
'ransomware group, causing widespread outages in stores and '
'online platforms. Harrods restricted internet access at its '
'sites following an attempt to gain unauthorized access, while '
'Co-Op took down parts of its IT systems proactively. The '
'attacks highlight the vulnerability of the retail sector, '
'with high downtime costs and potential revenue losses (e.g., '
"M&S's share price dropped 7%, resulting in millions in lost "
'sales). Security experts warn of rising threats due to '
'AI-enabled social engineering and adaptive malware, urging '
'retailers to implement robust incident response plans, '
'endpoint protection, and staff training.',
'impact': {'brand_reputation_impact': 'Potential long-term damage due to '
'public disclosure and operational '
'disruption',
'downtime': 'Widespread outages (M&S, Co-Op); internet access '
'restricted (Harrods)',
'financial_loss': 'Millions (e.g., M&S share price dropped 7%)',
'operational_impact': 'High (retail operations disrupted, revenue '
'generation affected)',
'revenue_loss': 'Significant (millions in lost sales for M&S)',
'systems_affected': ['Store Systems',
'Online Platforms',
'IT Infrastructure']},
'initial_access_broker': {'high_value_targets': ['Customer data',
'Operational systems']},
'investigation_status': 'Ongoing (no official link confirmed between '
'incidents; more details may emerge)',
'lessons_learned': ['Retailers must assume they are targets and prepare '
'accordingly.',
'AI tools are accelerating the threat landscape, enabling '
'low-skilled attackers to launch sophisticated campaigns '
'(e.g., social engineering).',
'High downtime costs and customer data volumes make '
'retail a prime target.',
'Proactive measures (e.g., endpoint detection, staff '
'training, MFA) are critical.'],
'motivation': ['Financial Gain', 'Disruption of Operations'],
'post_incident_analysis': {'corrective_actions': ['Enhance endpoint '
'protection and detection '
'capabilities.',
'Implement MFA and staff '
'training programs.',
'Develop and test incident '
'response plans regularly.',
'Segment networks to limit '
'lateral movement by '
'attackers.'],
'root_causes': ['Potential exploitation of human '
'vulnerabilities (e.g., social '
'engineering).',
'Lack of robust endpoint '
'protection or detection tools in '
'some cases.',
'High-value target sector (retail) '
'with critical operational '
'dependencies.']},
'ransomware': {'ransomware_strain': ['ScatteredSpider (alleged for M&S)']},
'recommendations': ['Deploy endpoint protection and detection tools (e.g., '
'EDR).',
'Implement multi-factor authentication (MFA) for '
'administrative access.',
'Develop and rehearse incident response plans with clear '
'communication protocols.',
'Train staff to recognize phishing and social engineering '
'attacks.',
'Monitor financial activity and update passwords (for '
'consumers).',
'Assume breaches will occur and prepare for rapid '
'response and recovery.'],
'references': [{'source': 'TechRadar Pro'},
{'source': 'SonicWall (Spencer Starkey, Executive VP of EMEA)'},
{'source': 'National Cyber Security Centre (NCSC) - Dr. '
'Richard Horne'},
{'source': 'Ex-NSA Cyber Chief - Cody Barrow'}],
'response': {'containment_measures': ['Restricted internet access (Harrods)',
'IT systems taken down (Co-Op)'],
'enhanced_monitoring': ['Security teams advised to deploy '
'endpoint protection software']},
'stakeholder_advisories': ["Security teams urged to be 'ultra vigilant.'",
"NCSC warns attacks should serve as a 'wake-up "
"call' for all organizations.",
'Experts recommend presuming targeting is '
'inevitable and preparing accordingly.'],
'threat_actor': ['ScatteredSpider (alleged for M&S)'],
'title': 'Cyberattacks on British Retailers: Harrods, Marks & Spencer, and '
'Co-Op Targeted in Suspected Ransomware Campaign',
'type': ['Cyberattack', 'Suspected Ransomware']}