Marks & Spencer (M&S)

Between February and April 2025, threat actors from Scattered Spider infiltrated Marks & Spencer's network through social engineering. They impersonated an M&S employee and convinced a third-party IT contractor to reset credentials, gaining initial access. On April 24, 2025, the attackers deployed DragonForce ransomware, encrypting VMware ESXi hosts and virtual machines across M&S's infrastructure. The company disclosed the breach on April 25, 2025, immediately suspending all online shopping operations.

M&S confirmed that customer records containing full names, email addresses, home addresses, phone numbers, dates of birth, and complete online order histories were compromised. The breach also exposed household information, Sparks Pay loyalty program reference numbers, and masked payment card details—showing the last four digits but not full card numbers or CVV codes.

Beyond customer data, the attackers obtained M&S's Active Directory database file (NTDS.dit) containing password hashes for Windows accounts across the organization. This gave them lateral movement capability and persistent access to internal systems. While M&S emphasized that full payment card details and account passwords were not stored in their systems, the combination of personal identifiers, transaction history, and loyalty program data paints a complete picture of customer shopping patterns, household composition, and personal contact information.

M&S customers now face targeted phishing campaigns using their actual purchase history. An attacker who knows you ordered children's clothing in size 6, food deliveries every Tuesday, and flowers for Mother's Day can craft convincing impersonation emails. The exposed phone numbers enable voice phishing attempts where callers reference specific orders and delivery addresses to establish false credibility.

For customers whose Sparks Pay loyalty accounts were compromised, fraudsters have reference numbers that could be used to social engineer customer service representatives or attempt account takeovers. The combination of date of birth, full address, and email creates a complete identity profile suitable for synthetic identity fraud. While M&S reset passwords as a precaution, the underlying personal data—particularly order histories revealing household circumstances, income indicators, and lifestyle patterns—cannot be unexfosed.

M&S is a 141-year-old British institution with sophisticated enterprise IT infrastructure. They segregated payment processing to avoid storing full card details. They used third-party IT contractors vetted through procurement processes. They had help desk protocols for password resets. They employed VMware virtualization for infrastructure resilience. All standard enterprise security practices.

The help desk contractor who reset credentials was following procedure—verifying what appeared to be a legitimate employee request. M&S had invested in systems separation to protect payment data. Their incident response plan included engaging leading cybersecurity firms and reporting to government authorities, which they executed immediately upon detection. By enterprise retail standards, M&S was doing what organizations their size are expected to do.

Scattered Spider had access to M&S's network from February through April before deploying ransomware—approximately two months of dwell time. During that period, attackers exfiltrated the Active Directory database and customer records. Did M&S know exactly where all customer order histories were stored across their e-commerce infrastructure? Which backup systems contained copies of that data? How many years of transaction records existed in production databases versus archived storage?

When M&S suspended online operations for 46 days, they were simultaneously conducting forensics and rebuilding systems. The company quantified £300 million in lost profit—but the breach notification to customers was issued within days of disclosure. That means they had to identify whose data was exposed while still investigating the full scope of compromise. The gap between "we've been breached" and "here's exactly what data the attackers took" is where organizations discover how little they knew about their own data inventory.

M&S faced immediate UK data breach notification requirements under GDPR, reporting the incident to the Information Commissioner's Office (ICO). They had to notify affected customers—though the company never disclosed the specific number impacted. Four people were eventually arrested in connection with the attack, charged with Computer Misuse Act offenses carrying potential £440 million in damages across M&S and other retailers targeted in the same campaign.

Beyond notification requirements, M&S navigated shareholder communications as their market value dropped £500 million in the days following disclosure. They issued profit warnings accounting for the £300 million impact. They resumed limited online ordering on June 10—46 days after shutdown—and didn't restore click-and-collect services until August, nearly four months post-breach. The forensic work, system rebuilding, customer notifications, regulatory reporting, and litigation preparation all occurred simultaneously while the business attempted to recover normal operations.