On April 22, 2025, Marks & Spencer — one of the UK's most iconic retailers with over 1,400 stores and millions of online customers — confirmed it was dealing with a significant cyber incident. What followed was weeks of disruption: online ordering suspended, contactless payments failing, click-and-collect services offline, and empty shelves as automated supply chain systems went down.
The attack was attributed to DragonForce ransomware, deployed by affiliates linked to the Scattered Spider collective. M&S's share price dropped significantly, wiping out an estimated 700 million pounds in market capitalization in the days following the disclosure.
Timeline of the Attack
Late March / Early April 2025: Initial access is believed to have occurred, though M&S has not disclosed exact dates. Reports suggest attackers gained access through social engineering — a technique Scattered Spider affiliates are known for.
April 19-20, 2025 (Easter Weekend): Customers begin reporting issues with contactless payments and click-and-collect services. Store staff are instructed to use manual processes.
April 22, 2025: M&S publicly acknowledges a "cyber incident" and notifies the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).
April 25, 2025: M&S suspends all online and app orders. The website remains accessible for browsing but purchasing is disabled.
Late April — May 2025: M&S works to restore systems. Gift card and returns processing is intermittent. Supply chain disruptions lead to visible stock gaps on store shelves. The company confirms that customer personal data was accessed.
May 2025: Gradual restoration of services begins, but full recovery takes several more weeks.
The DragonForce Ransomware
DragonForce operates as a ransomware-as-a-service (RaaS) platform. The group provides the ransomware tooling, infrastructure, and negotiation services. Affiliates — the individuals or groups who actually compromise victim networks — receive a percentage of any ransom payments.
The ransomware encrypts files and exfiltrates data for double extortion: pay to decrypt, and pay again to prevent data publication. DragonForce emerged in 2023 and has steadily grown its affiliate base, attracting operators from other disbanded or rebranded ransomware groups.
In the M&S attack, the ransomware was reportedly deployed against the company's VMware ESXi virtual infrastructure, encrypting virtual machines across the environment. This is a common ransomware tactic because encrypting the hypervisor layer takes down all hosted VMs simultaneously, maximizing operational impact.
The Scattered Spider Connection
The M&S attack is attributed to affiliates associated with Scattered Spider (also tracked as UNC3944, 0ktapus, and Starfraud). Scattered Spider is not a traditional organized cybercrime group but rather a loosely affiliated collective of primarily English-speaking, young threat actors who specialize in social engineering.
Their techniques include:
- Helpdesk social engineering: Calling IT helpdesks to reset passwords or enroll new MFA devices
- SIM swapping: Taking over phone numbers to intercept MFA codes
- MFA fatigue: Sending repeated push notification authentication requests until the user approves one
- Impersonation: Convincing IT staff they're employees who need access restored
These techniques are devastatingly effective against organizations that rely on identity-based security without robust verification procedures. Scattered Spider affiliates previously attacked MGM Resorts, Caesars Entertainment, and numerous technology companies.
Operational Impact
The M&S attack demonstrated how deeply technology is embedded in modern retail operations:
Online sales: Completely shut down for weeks. M&S's online business represents approximately one-third of its clothing and home sales.
Supply chain: Automated ordering, warehouse management, and logistics systems were disrupted. The result was visible stock gaps in stores — empty shelves that signaled the severity of the incident to customers and media.
Payments: Contactless payment terminals failed in stores, forcing cash-only or chip-and-PIN transactions. In a market where contactless payments dominate, this created significant customer friction.
Gift cards and loyalty: The Sparks loyalty program and gift card processing were intermittently unavailable.
Staff operations: Manual processes were implemented across stores, reducing efficiency and increasing labor costs.
The financial impact extended beyond direct remediation costs. Lost online sales during the peak Easter and spring shopping period, reputational damage, and the market capitalization decline combined to make this one of the most expensive retail cyber incidents in UK history.
Why Retail Is Vulnerable
Retail environments have characteristics that make them attractive targets:
Large, distributed workforce: Thousands of employees across hundreds of locations, many part-time or seasonal. This creates a large attack surface for social engineering and makes consistent security training difficult.
Complex supply chains: Modern retail depends on interconnected systems for ordering, inventory management, logistics, and point-of-sale. These systems are deeply integrated, meaning compromise of one system cascades across operations.
Customer data volumes: Retailers hold personal data, payment information, and behavioral data on millions of customers. This makes them valuable targets for double extortion.
Thin margins: Retail operates on tight margins, which historically means security investment competes with operational spending. The ROI of security is hard to demonstrate until an incident occurs.
Legacy systems: Many retailers run a mix of modern and legacy technology, with aging point-of-sale systems, legacy ERP platforms, and inherited infrastructure from acquisitions.
Lessons from the M&S Attack
Social engineering defenses need process, not just technology
If the initial access was through social engineering (as attributed), then technical controls alone were insufficient. Organizations need:
- Strict identity verification procedures for helpdesk interactions
- Out-of-band verification for password resets and MFA changes
- Callback procedures using pre-registered phone numbers
- Awareness that young, English-speaking attackers are specifically targeting helpdesks
Ransomware resilience requires tested recovery
The extended recovery time suggests that backup and recovery procedures were either insufficient or untested at scale. Organizations should regularly test full environment recovery from backups, including:
- ESXi host rebuilds from scratch
- VM restoration from offline/immutable backups
- Network infrastructure rebuild
- Application stack validation post-restore
Incident communication matters
M&S's communication was measured but sometimes lagged behind customer experience. Customers encountered broken services before official acknowledgment. Proactive, frequent communication during an incident preserves customer trust better than reactive statements.
How Safeguard.sh Helps
Safeguard.sh addresses the software supply chain complexity that makes retail environments difficult to secure. By maintaining a comprehensive SBOM across your entire technology estate — from point-of-sale systems to warehouse management to e-commerce platforms — Safeguard.sh gives security teams visibility into what's running, what's vulnerable, and what's connected.
The platform's vulnerability management capabilities ensure that known vulnerabilities in retail technology stacks are identified and tracked through remediation. When ransomware groups target specific technologies (like VMware ESXi), Safeguard.sh immediately highlights your exposure and tracks patching progress.
For organizations managing complex vendor ecosystems, Safeguard.sh's third-party risk capabilities help assess whether your supply chain partners maintain adequate security postures — reducing the risk that a compromised vendor becomes your entry point.