The Costliest Cyberattack in UK History: Marks & Spencers Ransomware

How the Cyberattack Unfolded

The cyberattack struck around Easter 2025, targeting M&S’s online platforms and supply chain systems. Online orders were paused for several weeks, while click-and-collect services remained suspended for months. The disruption affected online fashion, home, and food orders and caused some logistical challenges in stores. Recovery was gradual: partial home delivery services resumed during the summer, click-and-collect restarted later in the year, and the company aimed to normalize full online operations by the end of the financial year.

Financial Fallout: Profits Nearly Halved

The financial impact of the attack was severe. M&S lost hundreds of millions in sales, of which a portion was recovered through insurance. The net effect on underlying profits was significant, with overall profits falling by nearly half. While statutory pre-tax profits dropped drastically, underlying profits, after adjusting for unusual costs, remained somewhat more resilient. The fashion division bore the brunt of the attack, experiencing a notable sales drop, particularly in online fashion, while food sales showed a modest increase, providing some relief. Competitors such as Next benefited from M&S’s downtime, gaining customers during the disruption period.

Role of Scattered Spider & Ransomware

Investigations revealed that the attack involved sophisticated ransomware deployed by the hacking coalition known as DragonForce Cartel. The specific tool used is believed to be tied with Scattered Spiders, a hacking group composed largely of teenagers and young adults. This group had previously targeted Co-op and attempted a hack on Harrods. The attack relied on social engineering through M&S’s third-party provider, tricking employees into revealing login credentials. Criminals attempted direct extortion, contacting M&S CEO Stuart Machin via email. Key systems impacted included warehouse management, online ordering, and logistics platforms. While customer names, email addresses, postal addresses, dates of birth, and order histories were compromised, no payment information was stolen.

Impact on Customers and Supply Chains

The attack had significant ripple effects beyond M&S itself. UK retailers were reminded of their vulnerability to cybercrime, and rival retailers captured customers during M&S’s outage. Suppliers had to adjust operations, with some reverting to manual processes to maintain deliveries. The National Cyber Security Centre (NCSC) issued warnings about the increasing risk of AI-driven social engineering attacks and the need for heightened cybersecurity vigilance. M&S advised customers to reset passwords and remain alert to phishing attempts, aiming to preserve trust amid the crisis.

Recovery and Future Outlook

Despite the unprecedented disruption, M&S expressed cautious optimism about its recovery. CEO Stuart Machin stated, “The first half of this year was an extraordinary moment in time,” while analysts highlighted the disruption as a one-off event, with normal trading expected to resume. Food sales and homeware segments have shown resilience, though fashion is slower to recover. M&S aims to restore full-year profits to pre-attack levels, with expectations of a profitable Christmas season. Analysts suggest that while immediate financial performance may rebound, long-term impacts on customer loyalty could linger.

Lessons for Retail Cybersecurity

The Marks & Spencer cyberattack underscores the growing threat of ransomware and social engineering attacks to UK businesses. The scale and sophistication of the breach demonstrate the importance of robust cybersecurity measures, including staff training, third-party risk management, and rapid incident response protocols. Retailers are being urged to review their cybersecurity frameworks, given the increasing frequency of attacks targeting operational and customer data. For M&S, the 2025 cyberattack will serve as a cautionary tale, emphasizing that even established brands are not immune to digital threats.