How social engineering cost Marks & Spencer £300 Million

How a Phone Call Took Down One of Britain’s Biggest Retailers

There’s something almost absurd about it. Marks & Spencer, 141 years old, over 1,400 stores, a cornerstone of British high-street life, wasn’t brought down by some zero-day exploit or a nation-state cyber weapon. It was brought down, at least in part, by someone who picked up a phone and pretended to be an employee.

Over Easter weekend 2025, customers across the UK began to notice something was off. Contactless payments weren’t going through. Click-and-collect orders were failing. Gift cards stopped working. By April 22nd, M&S formally disclosed a “cyber incident” to the London Stock Exchange. Three days later, the company pulled the plug on its entire online ordering system a channel that accounts for roughly a third of its clothing and home sales, generating around £3.8 million a day.

It wouldn’t come back for 46 days.

The Anatomy of the Attack

What happened behind the scenes was far more alarming than empty shelves and broken payment terminals. According to BleepingComputer’s reporting and subsequent investigations by CrowdStrike, Microsoft, and incident response firm Fenix24, the attackers had been inside M&S’s systems since at least February 2025, two full months before anyone noticed.

The initial access method was disarmingly simple. M&S Chairman Archie Norman later confirmed that the attackers impersonated an M&S employee and called a third-party service desk, which carried out a password reset for them. No phishing link. No software vulnerability. Just a convincing voice on the other end of the line.

From there, things escalated quickly. With those reset credentials, the attackers exfiltrated the NTDS.dit file, the core Active Directory database that stores password hashes for every single domain user in M&S’s Windows environment. That’s 64,000 employees’ worth of credentials. They cracked the hashes offline, armed themselves with legitimate logins, and spent weeks moving laterally through the network, completely undetected.

Then, on April 24th, they pulled the trigger. The attackers deployed DragonForce ransomware across M&S’s VMware ESXi hosts, encrypting the virtual machines that underpinned e-commerce, payment processing, logistics, and inventory management. The digital heart of one of Britain’s largest retailers went dark.

Who Did This?

The attack has been attributed to Scattered Spider, a loose collective of predominantly English-speaking hackers, many of them believed to be teenagers and young adults based in the UK and US. If that sounds surprising, it should. This isn’t a shadowy Russian intelligence operation. Scattered Spider, also tracked as Octo Tempest by Microsoft and UNC3944 by Google’s Mandiant, is part of a broader cybercriminal community known as The Com.

They’re the same group behind the 2023 MGM Resorts attack in Las Vegas, which followed a nearly identical playbook — call the help desk, impersonate an employee, get a password reset, and you’re in. Despite several members being arrested and charged (including a British national named Tyler Buchanan, indicted by the US Department of Justice in November 2024), the group’s decentralised structure means it keeps operating even as individuals are picked off.

The ransomware DragonForce was delivered through what’s essentially a franchise model. DragonForce operates a ransomware-as-a-service (RaaS) platform called “RansomBay,” where affiliates can white-label the ransomware under their own branding, keep 80% of any ransom collected, and let DragonForce handle the infrastructure, leak sites, and technical support. It’s cybercrime as a startup ecosystem.

In early June, M&S CEO Stuart Machin received a message directly from DragonForce sent through a compromised employee email account confirming they were behind the attack and claiming to have encrypted all of M&S’s servers.

The Fallout

The numbers tell a brutal story. M&S estimated the attack would cost approximately £300 million in lost profit for the financial year, with Deutsche Bank estimating around £15 million in lost profits every single week the systems remained down. The company’s market capitalisation dropped by over £1 billion at its lowest point, with shares falling more than 12%.

But the operational chaos was arguably worse than the financial hit. With automated inventory and ordering systems offline, M&S staff had to revert to pen and paper to track stock. Fresh food deliveries were logged manually. Employees were checking refrigerator temperatures by hand because automated monitors were down. Shelves sat empty. Around 200 warehouse workers were told to stay home. IT staff were reportedly sleeping in the office, trying to get things back online.

On May 13th, M&S confirmed the worst: customer data had been stolen. The compromised information included names, addresses, email addresses, phone numbers, dates of birth, online order histories, and masked payment card details. M&S stressed that no full payment card numbers or account passwords were taken, but as NordVPN’s CTO Marijus Briedis pointed out to Computer Weekly, even “harmless” data like order histories and email addresses can be weaponised to build highly convincing phishing campaigns. M&S forced password resets for all online accounts.

Online ordering didn’t resume until June 10th, 46 days after it was suspended, and even then, only for some clothing lines.

M&S Wasn’t Alone

What makes this story even more unsettling is that M&S wasn’t the only target. In the same period, the Co-op supermarket chain was hit by what appears to be the same group, with data on staff and millions of customers stolen. Co-op’s CIO sent an internal email suspending VPN access for all staff and warning employees to verify attendees on camera during Teams meetings, a sign of how deeply the attackers were feared to have penetrated. Harrods, the luxury London department store, also confirmed a cyberattack on May 1st.

The Cyber Monitoring Centre classified the M&S and Co-op attacks as a “single combined cyber event” with a combined financial impact estimated between £270 million and £440 million. In July 2025, four individuals were arrested by the National Crime Agency in connection with the attacks.

The Bigger Picture

There’s a temptation to frame this as an M&S-specific failure, but that misses the point. Professor Oli Buckley of Loughborough University described the situation plainly: when ransomware hits, it’s like setting off a digital bomb. Systems go dark, data gets encrypted, and recovery means rebuilding from the ground up, not just flipping a switch.

The uncomfortable reality is that Scattered Spider’s primary weapon wasn’t technical sophistication. It was social engineering and manipulating people. They didn’t break through a firewall. They called a help desk. And that help desk, operated by a third party, didn’t have sufficient verification procedures to catch an impersonator.

According to the UK government’s Cyber Security Breaches Survey, 74% of large UK businesses were targeted by cyberattacks in 2024. The M&S incident is a case study in how even organisations with significant cybersecurity budgets remain vulnerable when the weakest link is a human being on the other end of a phone call.

M&S reportedly holds cyber insurance coverage of up to £100 million and may seek to claim a significant portion. Whether the company paid a ransom remains unclear — Chairman Norman stated publicly that M&S took a “hands-off approach” to negotiating with the threat actors and refused to discuss ransom payments, saying it wasn’t “in the interest of the public.” Notably, DragonForce had not listed M&S on its data leak site as of July, which has fuelled speculation.

What is clear is that a group of young, English-speaking hackers, armed with little more than a phone, some stolen credentials, and off-the-shelf ransomware, managed to inflict hundreds of millions of pounds in damage on one of the UK’s most established retailers. And they did it the same way they’ve done it before, using the same techniques that worked at MGM, at Caesars, and at Twilio.

The tools to defend against this exist. Phishing-resistant multi-factor authentication, strict identity verification at service desks, network segmentation, privileged access management, none of this is cutting-edge or unknown. The question, as always, isn’t whether organisations know what to do. It’s whether they’ve actually done it before the phone rings.

References & Further Reading

1. BleepingComputer — Marks & Spencer breach linked to Scattered Spider ransomware attack (April 28, 2025)
2. BleepingComputer — M&S says customer data stolen in cyberattack, forces password resets (May 13, 2025)
3. Computer Weekly — Scattered Spider on the hook for M&S cyber attack (April 29, 2025)
4. Computer Weekly — M&S forces customer password resets after data breach (May 13, 2025)
5. Computer Weekly — Chaos spreads at Co-op and M&S following DragonForce attacks (May 2025)
6. Al Jazeera — Harrods, M&S hit by cyberattack: What happened, who’s behind it? (May 2, 2025)
7. The Hacker News — Four Arrested in £440M Cyber Attack on M&S, Co-op, and Harrods (July 11, 2025)
8. Infosecurity Magazine — Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks (May 2025)
9. BlackFog — Marks & Spencer Breach: How a Ransomware Attack Crippled a UK Retail Giant (2025)
10. Specops Software — M&S ransomware hack: Service Desk & Active Directory security lessons (2025)
11. Loughborough University — Why is the M&S cyber attack chaos taking so long to resolve? (April 2025)
12. Aardwolf Security — M&S Data Breach Exposes Customer Information (2025)
13. CM Alliance — The Marks and Spencer Cyber Attack: Everything You Need to Know (2025)
14. Security Journal UK — M&S Cyber Attack: Everything We Know (June 10, 2025)
15. Sangfor — Marks & Spencer Cyberattack: A Wake-Up Call for Supply Chain Cybersecurity (May 26, 2025)
16. Towergate Insurance — M&S Cyberattack: What Happened and Why? (2025)
17. Picus Security — Retail Under Fire: Inside the DragonForce Ransomware Attacks (May 2, 2025)
18. Ampcus Cyber — How Scattered Spider Compromised M&S’s Network: Key Findings (2025)