Marks & Spencer (M&S) fell victim to a sophisticated social engineering attack in April 2025 that led to significant operational disruption and financial losses. The attack demonstrates how cybercriminals are increasingly targeting human vulnerabilities rather than technical system weaknesses.

The attackers used sophisticated impersonation tactics to breach M&S systems through a third-party contractor. M&S CEO Stuart Machin confirmed that hackers were "unable to get into our systems by breaking through our digital defences" and instead resorted to social engineering tactics 3. The attack involved impersonating employees to trick IT help desk workers into resetting passwords 7(https://www.securitymagazine.com/articles/101609-marks-and-spencer-hackers-tricked-it-workers-into-resetting-passwords).

M&S Chairman Archie Norman revealed that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password 5. The attack was described as a "sophisticated impersonation attack" where attackers appeared as legitimate employees with their details, not simply requesting password changes 5.

Sources identified Tata Consultancy Services (TCS) as the third-party contractor involved in the breach. TCS provides help desk support for M&S and was reportedly tricked by the threat actors into resetting an employee's password, which was then used to breach the M&S network 5. At least two TCS employees' M&S logins were allegedly used as part of the breach 6.

The attack has been linked to the Scattered Spider cybercriminal group, which deployed DragonForce ransomware on M&S networks 5. Scattered Spider is known for its effective impersonations and social engineering tactics, having previously targeted Las Vegas casinos MGM Resorts and Caesars Entertainment using similar help desk manipulation techniques 1.

The attack caused significant disruption to M&S operations. The company was forced to suspend online orders and experienced empty food shelves after taking food-related systems offline 3. Bank of America analysts estimated that M&S lost more than £40 million in sales every week since the incident began 3, with total costs potentially reaching $400 million 6.

Customer data including names, dates of birth, phone numbers, home addresses, email addresses, and online order histories was stolen, though no payment card information was compromised 3. Approximately 150GB of data was believed to be stolen, with numerous VMware ESXi servers encrypted 5.

The M&S attack highlights the vulnerability of supply chain relationships and the effectiveness of social engineering tactics. Security experts noted that the attack demonstrates how a single vulnerability in the supply chain can cascade across entire networks 6. The incident serves as a reminder that organizations must implement robust verification procedures for help desk operations and maintain comprehensive incident response plans 4.

[1] (ReliaQuest Press Releases) How to prepare IT teams for social engineering attacks - https://www.itbrew.com/stories/2025/06/13/how-to-prepare-it-teams-for-social-engineering-attacks

[3] (Retail Systems) Marks & Spencer reveals hackers breached systems through third-party contractor - https://www.retail-systems.com/rs/Marks_Spencer_Reveals_Hackers_Breached_System_Through_Third_Party_Contractor.php

[4] (SecurityBrief Asia) Marks & Spencer cyber attack sparks customer data security fears - https://securitybrief.asia/story/marks-spencer-cyber-attack-sparks-customer-data-security-fears

[5] (BleepingComputer) M&S confirms social engineering led to massive ransomware attack - https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/

[6] (Cybernews) M&S confirms breach was result of third-party vendor social engineering attack - https://cybernews.com/news/marks-spencer-breach-tcs-third-party-vendor-social-engineering-attack/

[7] (Security Magazine) Marks & Spencer Hackers Tricked IT Workers Into Resetting Passwords - https://www.securitymagazine.com/articles/101609-marks-and-spencer-hackers-tricked-it-workers-into-resetting-passwords

Marks & Spencer (M&S) experienced a devastating cyberattack over Easter 2025 that severely disrupted its operations and is expected to cost the company around £300 million ($402 million) in lost profits 23. The attack, linked to the notorious Scattered Spider cybercriminal group and claimed by the DragonForce ransomware operation, forced M&S to suspend online shopping operations on April 25, 2025 13.

The cyberattack had widespread operational impacts, affecting card payments, gift cards, Click and Collect services, and causing food product shortages in stores 14. Online disruption was expected to continue through June and into July 2025, with the company working to gradually restart operations 2.

M&S confirmed that hackers stole personal customer information, including names, dates of birth, home addresses, and telephone numbers of millions of customers 27(https://cybernews.com/news/marks-spencer-customer-data-leak/). However, the company emphasized that no usable payment or card details or account passwords were compromised 28.

The retailer wrote to at least 18 million customers to inform them of the data breach and advised vigilance against potential fraudulent communications claiming to be from M&S 8.

M&S operates approximately 1,000-1,400 stores across Britain and makes around one-third of its clothing and home sales online, making the digital disruption particularly damaging 47(https://cybernews.com/news/marks-spencer-customer-data-leak/). The company's share price fell significantly following the attack, with approximately £700 million wiped off its stock market value 4.

Chairman Archie Norman described the attack as "traumatic" and noted that M&S was "fortunate" the incident occurred while the business was performing well, stating that if it had happened during the company's previous struggles, "we would have been kippered" 10.

Despite the cyber challenges, M&S continued with planned leadership changes, appointing John Lyttle as the new managing director of clothing, home and beauty in March 2025 6. Lyttle, formerly CEO of Boohoo Group, succeeded Richard Price who left in April 2025 to pursue a portfolio career 6.

The company also announced significant investment plans, including £90 million for its London store estate with 17 new and improved stores planned, focusing on new Foodhalls and store renovations 9.

Beyond cybersecurity issues, M&S faced additional operational challenges, particularly regarding Northern Ireland trade regulations. CEO Stuart Machin criticized new labeling requirements for products shipped from Great Britain to Northern Ireland as "bureaucratic madness," with over 1,000 M&S products requiring "not for EU" labels 5.

[1] (Hacking Archives - Security Affairs) British retailer giant Marks & Spencer (M&S) is managing a cyber incident - https://securityaffairs.com/176820/hacking/marks-spencer-ms-is-managing-a-cyber-incident.html
[2] (Malay Mail - Money) Marks and Spencer cyberattack to drag on until July, costing RM1.8b - https://www.malaymail.com/news/money/2025/05/21/marks-and-spencer-cyberattack-to-drag-on-until-july-costing-rm18b/177617
[3] (BleepingComputer) Marks & Spencer faces $402 million profit hit after cyberattack - https://www.bleepingcomputer.com/news/security/marks-and-spencer-faces-402-million-profit-hit-after-cyberattack/
[4] (News - FashionNetwork.com Worldwide) Britain's M&S enters second week of sales disruption after cyberattack - https://ww.fashionnetwork.com/news/Britain-s-m-s-enters-second-week-of-sales-disruption-after-cyberattack,1726149.html
[5] (Money | This is Money) Marks & Spencer hits out at grocery red tape madness - https://www.thisismoney.co.uk/money/markets/article-14854819/Marks-Spencer-hits-grocery-red-tape-madness.html
[6] (fashionunited.in) Marks & Spencer names new clothing, home and beauty boss - https://fashionunited.in/news/people/marks-spencer-names-new-clothing-home-and-beauty-boss/2025020648737
[7] (CyberNews Press Releases) Marks and Spencer cyber nightmare continues as customer information leaks - https://cybernews.com/news/marks-spencer-customer-data-leak/
[8] (Money | This is Money) Marks & Spencer to claim £100m in losses after Easter cyber attack hits sales - https://www.thisismoney.co.uk/money/markets/article-14712785/Marks-Spencer-claim-100m-losses-Easter-cyber-attack-hits-sales.html
[9] (fashionunited.uk) Marks & Spencer to invest 90 million pounds in London store estate - https://fashionunited.uk/news/retail/marks-spencer-to-invest-90-million-pounds-in-london-store-estate/2025042281193
[10] (Money | Mail Online) M&S 'could have been destroyed by cyber hack': High Street chain braces for £300m profits hit - https://www.thisismoney.co.uk/money/markets/article-14886651/M-S-destroyed-cyber-hack-High-Street-chain-braces-300m-profits-hit.html