Marks & Spencer

What happened

On 22 April 2025, Marks & Spencer disclosed a cyber incident to the London Stock Exchange. Within forty-eight hours, contactless payments in stores stopped working, click-and-collect orders were paused, and the entire e-commerce operation was taken offline. Online ordering would not resume for six weeks. By the time the dust settled, M&S had lost an estimated £300 million in sales and recovery costs, and confirmed that customer data — names, addresses, contact details, dates of birth, and order histories — had been exfiltrated.

The same threat actor cluster hit two more recognisable British retailers in close succession. Co-op detected the activity in its environment and contained it before stores or systems were materially affected. Harrods sustained limited disruption to its online channels. The pattern across all three was the same: social engineering of a third-party IT support function, followed by lateral movement into the retailer’s identity infrastructure, ending in DragonForce ransomware deployment on internal systems.

The British media response was substantial. The incident dominated UK headlines for the better part of two months and reset the public conversation on ransomware in the retail sector. The NCSC issued sector-wide guidance for the first time in over a year.

How it worked

The intrusion did not start at M&S. It started at the helpdesk operated by a third-party IT services contractor that supported M&S’s identity and endpoint operations. Scattered Spider — tracked by Mandiant as UNC3944 — has a well-documented playbook for this kind of operation: a fluent English-language phone call to a service desk, a believable cover story involving an executive’s misplaced password or locked-out account, and an MFA reset performed by a sympathetic helpdesk operator who has been trained to be helpful.

The reset gave the attackers an authenticated foothold in an account with sufficient permissions to begin enumeration. From there, the route to domain dominance followed a familiar arc: identification of privileged service accounts, abuse of cached credentials and tokens to escalate, and eventual control of an Active Directory domain admin account. With domain admin in hand, the attackers had read access to nearly every system in the M&S environment that mattered, and write access to most of it.

Customer data was staged and exfiltrated through cloud storage routes that looked like legitimate corporate file movement. Then, on the operational side, the DragonForce ransomware payload was deployed to the parts of the estate that ran tills, e-commerce orchestration, warehouse management, and inventory systems. The choice of DragonForce — a relatively young ransomware-as-a-service operation — was a Scattered Spider tradecraft signature; the group has rotated through several RaaS affiliates over the past two years.

The operational disruption that followed was almost entirely a function of how integrated M&S’s stack was. The same identity infrastructure that ran the loyalty scheme also ran payments, the warehouse management system, and several supplier-facing portals. Recovery required rebuilding from clean backups across that entire estate, in sequence, with cautious revalidation at each step.

Timeline

• April 2025 (early to mid) — Initial helpdesk social-engineering call leads to an MFA reset on a privileged M&S account.
• April 2025 (week of 14th) — Internal reconnaissance and credential staging.
• 19–21 April 2025 — Customer data exfiltration; DragonForce ransomware deployment on internal systems.
• 22 April 2025 — M&S notifies the LSE; in-store contactless payments and click-and-collect paused.
• 23–25 April 2025 — Online ordering taken offline; warehouse and distribution operations affected.
• April–May 2025 — Co-op and Harrods incidents disclosed; NCSC issues retail-sector guidance.
• Early June 2025 — M&S online ordering partially restored; full recovery extends through the summer.
• June–July 2025 — M&S confirms exfiltration of customer personal data; trading update quantifies the impact at roughly £300 million.

What defenders should learn

The third party was the front door. M&S’s identity-management practices were robust enough that a direct attack would have been hard work. The helpdesk operated by an outsourced IT services provider, by contrast, was reachable by anyone with a phone, an English voice, and a believable story. The incident is a textbook example of why identity controls have to extend to every party that can reset, issue, or attest credentials — including ones that don’t share a payroll with you.

A second pattern worth noticing: the speed of the lateral movement once the foothold was established. From a helpdesk-issued password reset to domain admin took less time than the gap between two consecutive change-management windows. Modern identity attacks do not wait, and detection regimes designed around weekly audits or quarterly access reviews do not catch them.

For defenders thinking about segmentation and Zero Trust, the M&S case is unusually clean evidence for the argument that identity boundaries and network boundaries have to reinforce each other. Either alone is bypassable. Together, they constrain blast radius even when the initial foothold is unavoidable. Andy will layer more of that lens in over time; for now, the operational lesson stands on its own.