Inside the Marks & Spencer Cyberattack: How It Happened, What Went Wrong, and How It Could Have Been Stopped

In April 2025, Marks & Spencer — one of the UK’s best-known high street retailers — found itself facing something far more damaging than an underwhelming quarter or a late delivery from its supply chain. A serious cyberattack had taken hold of its digital infrastructure, crippling systems and leaving customers and staff in the dark.

This wasn’t a case of a lone hacker operating from a bedroom. The attack was coordinated, targeted, and sophisticated. The group responsible, known as Scattered Spider, is believed to have infiltrated the company’s systems through a third-party vendor, exploiting one of the most common and effective weaknesses in modern enterprise IT: supply chain trust.

By the time the breach was noticed, attackers had already moved laterally through M&S’s internal network, deploying ransomware that brought down online ordering systems, interfered with payment terminals, and exposed customer data including names, addresses, and purchase histories.

What Actually Happened

Marks & Spencer confirmed in late April that it had suffered a “cybersecurity incident” but provided limited detail at the time. According to independent technical analysis and reports published by Specops and TechMonitor, the attack started with credential theft. A vendor with backend access was compromised, likely through a phishing attack, giving the threat actors legitimate credentials.

Using these, the attackers bypassed perimeter security and made their way into M&S’s network. Once inside, they escalated privileges, exploited Active Directory weaknesses, and quietly mapped out the digital landscape before striking.

On the day the ransomware was triggered, services fell rapidly. Online orders failed to process. Some in-store tills were taken offline. Customer support systems became unresponsive. Within hours, the retail giant had to notify customers of the breach and suspend core services to limit further damage.

The Financial and Operational Fallout

The timing of the attack could not have been worse. M&S was in the midst of rolling out seasonal campaigns and managing high online traffic. Analysts estimate that the business lost upwards of £60 million in profits during the first fortnight alone, with over £1 billion wiped off its market valuation. In addition to the financial blow, customers were left frustrated — not just by the disruption but by concerns over how their personal information might be used or sold online.

The reputational impact could prove longer-lasting than the financial hit. Trust, once broken, is hard to rebuild — particularly when it comes to how companies handle sensitive data.

What Could Have Prevented It?

Security experts point to a series of oversights that left M&S vulnerable — none of which were particularly novel or advanced. They included:

1 – Weak Third-Party Controls: The vendor involved appeared to have broad, unsupervised access. A least-privilege access model could have limited the blast radius.

2 – Lack of Multi-Factor Authentication: MFA, while not a silver bullet, would have made it harder to use stolen credentials alone to gain access.

3 – Poor Internal Segmentation: Once the attackers breached the initial entry point, they moved laterally without significant friction. Better network segmentation and tighter access policies might have slowed them down or raised red flags earlier.

4 – Outdated Active Directory Policies: The attackers reportedly exploited common misconfigurations in M&S’s Active Directory, which is often overlooked in routine audits.

5 – Limited Anomaly Detection: While M&S had cybersecurity tools in place, it’s unclear whether they had behavioural analytics capable of spotting unusual login patterns or data exfiltration in real-time.

Lessons for the Wider Industry

This breach wasn’t about advanced zero-day exploits or custom malware. It was about discipline, visibility, and the ability to detect suspicious behaviour early. In many ways, it resembled past attacks on BA and TalkTalk — high-profile examples that still didn’t lead to lasting change across the sector.

If anything, this incident highlights how fragile modern business systems can be when convenience outweighs caution. Too often, security controls are bolted on rather than built in.

Organisations of all sizes — not just retail giants — need to re-evaluate how they manage third-party access, review their internal access policies, and train employees to spot early signs of compromise. Cybersecurity is not a job for the IT department alone; it’s a business-wide discipline.

The Road Ahead for M&S

Marks & Spencer is now facing a lengthy recovery. Public trust must be rebuilt, systems hardened, and processes overhauled. Insiders have suggested the company is accelerating a multi-year security modernisation programme, with support from external cybersecurity firms.

While the company has not confirmed whether a ransom was paid, the recovery bill — including legal fees, compensation packages, and system rebuilds — is expected to exceed £100 million.

Final Thought

The M&S cyberattack is not a standalone story. It’s a symptom of wider complacency and an overreliance on legacy systems in an increasingly hostile digital world. No organisation is immune — but many can do more to prepare.

For tailored advice on hardening your own digital infrastructure, or for help developing a security strategy built around modern threats, visit ITogether or call +44 (0)113 341 0123

References

BBC News – Marks and Spencer suffers cyber attack disrupting online orders
https://www.bbc.com/news/articles/cpw72pxrgdzo
This BBC article provides the official confirmation of the breach, details on service disruption, and statements from M&S.

BBC News – Marks & Spencer cyber attack: What we know so far
https://www.bbc.com/news/articles/cpqe213vw3po
Includes details of the operational impact, affected customer data, and early reporting of the incident’s scope.

Tech Monitor – Marks & Spencer cyberattack: Third-party access exploited by hackers
https://techmonitor.ai/technology/cybersecurity/marks-spencer-cyberattack-third-party-access
A technical breakdown of how attackers used supply chain access and credential theft.

Specops Software – Marks & Spencer ransomware attack highlights Active Directory risks
https://specopssoft.com/blog/marks-spencer-ransomware-active-directory
A deep dive into how the attackers exploited misconfigurations in Active Directory to escalate privileges and spread laterally.

Reuters – M&S cyberattack could lead to lasting damage, warn analysts
https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19
Covers the financial and reputational impact, as well as investor concerns about long-term fallout.

Cybersecurity Dive – Scattered Spider group linked to M&S data exfiltration
https://www.cybersecuritydive.com/news/ms-hackers-customer-data-cyberattack/747956
Provides attribution to the threat group and discusses potential dark web resale of stolen customer data.