Marks & Spencer (M&S), one of the UK’s best-known retailers, has been hit by a major cyber attack.
The M&S cyber attack incident has caused widespread disruption to M&S’s operations – from in-store payment problems to a complete shutdown of online orders.
M&S is still working to restore some of its services and has confirmed that hackers accessed some customer data.
This article compiles everything we know so far about the M&S cyber attack in a simple, clear way – including what happened, what data was stolen, who is thought to be behind it, and how customers can protect themselves in the aftermath.
The M&S cyber attack refers to a ransomware incident that struck Marks & Spencer’s computer systems in spring 2025, causing serious disruption across the business.
It first came to light when customers encountered technical issues.
Some were unable to use contactless payment or Click & Collect services in Marks and Spencer stores.
M&S soon acknowledged it was dealing with a ‘cyber incident’, and it paused all online orders on its website and mobile app to contain the attack.
This meant customers could not buy anything from M&S online – a significant blow, as about one-third of the company’s UK clothing and home sales normally happen through its website and apps.
In a ransomware attack, cyber criminals break into an organisation’s network and encrypt important files, scrambling them so they cannot be used.
They then demand a ransom payment to unlock the data or to stop leaking it.
M&S has not publicly commented on any ransom demands, but security experts believe the attackers are likely trying to extort a multi-million pound payment from the retailer.
Ransomware groups often steal copies of data before encrypting systems, using this stolen data as leverage.
They threaten to publish or sell it unless paid.
In this case, the M&S cyber attack forced the company to take some of its IT systems offline.
The scale of the disruption has been unprecedented for M&S.
The company even pulled down its recruitment website and stopped hiring new staff during the crisis.
At one point, M&S had to tell around 200 warehouse workers to stay home due to the continued IT security issues.
The financial impact has also been significant.
Analysts estimated in early May that the downtime had cost M&S around £30 million in lost sales and related costs, with an ongoing hit of roughly £15 million per week while online orders remained suspended.
M&S’s share price fell sharply when the problems were first announced, wiping hundreds of millions of pounds off the company’s market value.
M&S has now confirmed that the attackers stole some personal customer data as part of the M&S cyber attack.
The company initially remained silent on this aspect, but about three weeks after the attack, it notified customers that some of their personal customer data had been taken.
Importantly, M&S stated that no sensitive financial information was accessed during the M&S cyber attack.
The stolen data does not include any usable payment card details or passwords for customer accounts.
M&S does not store full payment card numbers on its systems, and there is no evidence that hackers accessed credit or debit card information.
The types of customer data that were compromised include:
According to M&S, no account passwords were stolen, and any partial card information (such as expiry dates or last four digits) would not be usable by criminals.
The company has also stressed that there is no evidence so far that any of the stolen customer data has been shared or published by the hackers.
M&S has not disclosed how many customers were affected, but given the nature of the attack, it could potentially be a large number.
As a precaution, M&S is prompting all customers to reset their account passwords on their next login to provide extra peace of mind.
Officially, M&S has not publicly identified the culprits behind the M&S cyber attack.
However, cybersecurity experts and hacker statements point to a group using the name DragonForce as the likely perpetrators.
DragonForce is a relatively new ransomware-as-a-service (RaaS) operation.
They offer ransomware tools and a platform that other hackers can rent to carry out attacks, in return for a share of the profits.
In late April, a group claiming to be DragonForce announced they were behind attacks on M&S, the Co-op supermarket chain, and an attempted hack on Harrods department store.
They also claimed to have stolen data on Co-op’s staff and millions of customers.
Essentially, DragonForce provides the infrastructure, while affiliate hackers perform the actual breaches.
The breach of M&S is believed to have been carried out by a well-known hacking crew informally referred to as Scattered Spider, also known by Microsoft as Octo Tempest.
Scattered Spider is a loosely organised group of English-speaking hackers, thought to include young adults and teenagers.
The group has previously been linked to several high-profile cyber security attacks.
Scattered Spider is particularly skilled in social engineering, a tactic that involves manipulating employees to gain access.
Reports suggest the attackers impersonated M&S employees and convinced the IT help desk to reset passwords, giving them the credentials needed to access internal systems.
The UK’s National Cyber Security Centre (NCSC) has warned other companies to tighten security around help desk procedures to prevent similar breaches.
Investigations suggest that the hackers may have first infiltrated M&S as early as February 2025, gaining access to sensitive files including the Active Directory database, which holds employee account credentials.
Using valid credentials, the hackers moved through M&S’s systems undetected for weeks.
On 24 April, they activated the DragonForce ransomware, encrypting critical servers and causing the outages that customers and staff began noticing.
This form of double-extortion ransomware, both encrypting files and stealing data, is typical of the DragonForce group.
The Metropolitan Police and other cyber authorities are now investigating.
However, these investigations can be complex and time-consuming, especially since many attackers operate internationally.
DragonForce first appeared in mid-2023 and has since targeted organisations globally.
Security experts are particularly concerned about the group’s collaboration with Scattered Spider, hackers with insider knowledge of how UK and US companies operate.
An insider at M&S reported fearing that attackers might still be inside their network.
This forced staff to switch from internal platforms like Microsoft Teams to personal devices and encrypted apps such as WhatsApp.
M&S’s leadership has been cautious in public statements and has not officially named the attackers.
CEO Stuart Machin apologised to customers on 2 May, acknowledging the seriousness of the disruption and promising that the company was working to resolve the issue.
To help manage the crisis, M&S hired external cybersecurity specialists, including teams from Microsoft and CrowdStrike.
The Information Commissioner’s Office (ICO) and NCSC have also been involved, recognising that the attack on M&S is part of a broader campaign affecting UK retailers.
If you are an M&S customer, the news of the M&S cyber attack may understandably leave you concerned about your personal data.
The good news is that sensitive financial details, such as payment card information and account passwords, were not stolen.
Attackers cannot directly access your bank accounts or M&S online account.
However, the information that was compromised, including names, contact information, and order history, could still be misused by fraudsters to target you in scams.
There are several practical steps you can take to safeguard yourself.
Cyber criminals may attempt to use your personal data to make phishing scams more convincing.
They might contact you by email, text, or phone call pretending to be from M&S or other trusted services.
These messages may mention past orders or your home address to sound legitimate.
M&S has stated clearly that it will never contact customers out of the blue to request sensitive information such as passwords or payment details.
If you receive any unexpected message claiming to be from M&S and asking for such information, do not click on links or provide any personal data.
Always visit the official M&S website directly or call their customer service line for verification.
As a precautionary step, M&S is prompting all customers to change their account passwords when they next log in.
It’s strongly advised to choose a strong, unique password that you don’t use on any other platform.
Even though M&S says account passwords were not stolen, changing it adds an extra layer of security.
If you previously used the same password for other accounts, update those as well.
Using unique passwords for each account helps prevent attackers from using information obtained in one breach to access other accounts.
Keep an eye out for any emails or letters from M&S regarding this incident.
Make sure to verify that these communications are genuine and not phishing attempts.
M&S has said it will be contacting customers to explain the situation and provide guidance on next steps.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), also offers helpful advice for individuals affected by cyber breaches.
Their guidance includes tips on preventing identity fraud and staying safe online.
Although payment information was not stolen, it’s wise to remain vigilant.
Check your bank and credit card statements regularly for any suspicious transactions over the coming months.
Monitor your M&S online account as well.
Report any unfamiliar orders, account changes, or activity to M&S immediately.
Because your contact information was taken, you may also receive an increase in spam or scam attempts.
Be cautious of anyone claiming to represent M&S, your bank, or any other organisation who asks for personal information over the phone or via email.
If in doubt, hang up and call the organisation back using an official contact number.
The main risk most customers face following this breach is phishing, which can be countered by staying cautious.
However, if you want additional reassurance, consider checking your credit reports to ensure no fraudulent accounts have been opened in your name.
In the UK, you can access free statutory credit reports from the major credit reference agencies.
Enable any available security features on your financial accounts, such as two-factor authentication and alerts for new payees.
While there is no current indication that financial data was leaked, taking proactive measures can help you stay protected.
You should now have more of an understanding of the M&S cyber attack.
The M&S cyber attack has been a serious and far-reaching incident, underlining how even a
large and well-known retailer can be crippled by determined hackers.
It’s expected to cost M&S millions in lost sales and recovery expenses
It’s a stark reminder that no company is immune to cyber threats.
More importantly, stay alert about your personal information going forward.
Cyber attacks like this often lead to an increase in phishing scams, so use the guidance provided to protect yourself.
The M&S cyber attack has highlighted the growing digital risks, and why both businesses and individuals need to stay alert.
By learning from what happened and following expert advice, we can all be better prepared to deal with these kinds of cyber incidents in the future.
Click to Open Code Editor