M&S Cyberattack: What Happened and What It Means for Customers
With just a few days left before summer begins, seasonal shopping has hit a major pause as Marks and Spencer (M&S) has suffered a significant data breach. But what exactly happened, and what does it mean for customers worldwide?
Cyber Attack Over Easter Weekend
During the Easter weekend, between April 19th and 20th, M&S was targeted by a cyber-attack carried out by a hacker group known as “Scattered Spider,” which is linked to the DragonForce collective. The hackers exploited a vulnerability through a third-party contractor believed to be Tata Consultancy Services (TCS) to gain unauthorised access to M&S systems and remained undetected for 52 hours.
The breach was publicly acknowledged on April 23rd and forced M&S to suspend online orders, disrupting supply chains, and leading to empty shelves in some stores.
CEO Statement
Recently, M&S CEO Stuart Machin publicly addressed the incident, acknowledging that human error played a key role in the breach. He emphasised that while technical defences were in place, a lapse in oversight by a third-party provider ultimately opened the door to the attackers. The CEO described this breach as the most challenging situation his team has faced and highlighted the company’s commitment to emerging as a more resilient business in its aftermath.
What Data Was Accessed?
Marks & Spencer confirmed that the data breach has compromised a range of customer information. This includes names, email addresses, phone numbers, home addresses, dates of birth, order history, and masked payment card information. Additionally, customer reference numbers associated with M&S credit and Sparks Pay accounts may also have been exposed.
The Breach’s Effect on Customers
Although no full payment card data was stolen, the compromised information still poses risks like phishing attacks, identity theft, or fraud. M&S has urged all customers to:
- Reset their passwords when they next log in.
- Stay alert for suspicious emails or calls.
- Monitor bank statements and accounts for unusual activity.
Breach Impact on M&S
- Online orders have been paused since 25th of April.
- Estimated loss of £40 million in weekly sales.
- A 15% drop in market share price, wiping over £1 billion from market value.
- M&S is filing claims through a cyber insurance policy estimated to be worth up to £100 million.
The Ongoing Response
M&S is collaborating with cybersecurity experts and law enforcement, including the UK’s National Crime Agency and the FBI. While online services remain limited, the company is working toward full restoration and continues to provide updates through its official website. The Information Commissioner’s Office (ICO) is also investigating the breach and may impose fines, depending on the extent of data loss and regulatory failures.
The Bigger Picture
M&S wasn’t the only UK retailer targeted. The same hacker group also breached Co-op and attempted an attack on Harrods. At Co-op, hackers accessed internal systems and customer contact details. The company acted quickly to shut down parts of its IT systems, preventing full ransomware encryption, but still faced disruptions and data loss. Harrods reportedly blocked the attack before major damage occurred.
The attackers, referring to themselves as putting UK retailers on the “Blacklist” (inspired by the crime thriller series The Blacklist), have warned of more attacks to come. These events underscore the growing threat posed by organised cybercriminals and the urgent need for stronger cybersecurity measures across the retail sector.
Conclusion
The M&S data breach serves as both a warning and a reminder to retail vendors about the critical importance of investing in robust cybersecurity measures. It also highlights the ongoing threat posed by groups like DragonForce, whose efforts to disrupt retail operations and compromise data security continue to grow more sophisticated. Vigilance and proactive defence are no longer optional, they’re essential.
At a time when the retail sector is under fire, partnering with experienced cybersecurity specialists can make all the difference. Cybnode supports businesses with threat mitigation and the development of stronger, more resilient infrastructures, maintaining security behind every node.
References
CYBNODE's cyber analysts are world-class experts in threat intelligence, threat hunting, and incident response. 'CYBNODE Blogs' is authored exclusively by these specialists, offering in-depth analyses of real-world cyber incidents and emerging threat trends drawn from their frontline experience.
Staying ahead demands perspectives you can trust.
Explore the latest cybersecurity innovations.
How DevSecOps and Machine Learning Are Changing Software Security
In today’s digital world, software is at the heart of almost every business operation. From mobile banking to hospital systems, software makes life easier and more connected. However, when software is built without proper security or compliance in mind, it can become a serious risk. Cyberattacks, data leaks, and regulatory fines can damage both reputation […]
Beyond the Surface: What is OSINT Open Source Intelligence?
Open-Source Intelligence (OSINT) has become an indispensable part of cybersecurity, journalism, law enforcement, and even competitive business intelligence. OSINT refers to the practice of collecting and analysing information from publicly available sources. These sources could be anything from social media posts and news articles to public databases and satellite imagery. In fact, analysts estimate that […]
M&S Cyberattack: What Happened and What It Means for Customers
With just a few days left before summer begins, seasonal shopping has hit a major pause as Marks and Spencer (M&S) has suffered a significant data breach. But what exactly happened, and what does it mean for customers worldwide? Cyber Attack Over Easter Weekend During the Easter weekend, between April 19th and 20th, M&S was […]