Cyberattack on Marks & Spencer: A Major Breach Linked to Scattered Spider
A significant cyberattack on the British retail giant Marks & Spencer (M&S) has sent shockwaves through the business community, linking the incident to the infamous hacking group known as Scattered Spider. This organization has gained notoriety through its previous high-profile breaches, including an attack on MGM Resorts in 2023. The ramifications of this latest incident have been profound, severely disrupting M&S’s operations and frustrating customers.
According to a report from Hackread.com dated April 23, 2025, the cyberattack resulted in the shutdown of several key services at M&S, including contactless payment systems and the Click and Collect service. Customers encountered significant difficulties due to these disruptions, with online deliveries delayed and the company pausing online orders altogether. The report further indicated that cybersecurity specialists suspect the disruption might be a result of ongoing ransomware activities, where sensitive data is encrypted, and attackers demand a ransom for its release.
Recent investigations have uncovered alarming details regarding the extent of the breach. Reports suggest that the hackers may have initially infiltrated M&S’s systems as early as February 2025. During this infiltration, they allegedly stole a critical file known as NTDS.dit from M&S’s Windows domain. This file serves as a database containing user accounts and passwords managed by Active Directory Services. With access to this file, the attackers could ostensibly crack passwords, allowing them to traverse the network and seize control of additional systems.
Following this early access, it appears that the attackers deployed the DragonForce encryptor against M&S’s virtual machines, running on VMware ESXi hosts. This major assault was subsequently launched on April 24, 2025. Investigative findings have increasingly aligned with the belief that Scattered Spider is responsible for orchestrating the attack, showcasing their operational capabilities.
The repercussions of this cyber incident have extended well beyond technological disruptions. M&S has acknowledged “pockets of limited availability” in its physical stores, revealing that customers have faced empty shelves across the nation. The disruption has been so severe that it has led to significant shortages in stock, indicating a breakdown in the supply chain. Gift card transactions and online purchases have also been affected, adding to customer dissatisfaction.
Financially, M&S has reported a staggering estimated loss of around £650 million in market valuation following the attack. The suspension of online sales may be costing them approximately £3.5 million per day. While the retailer has largely remained tight-lipped about the specifics surrounding the cyberattack, it has noted that taking its systems offline was a necessary precaution to prevent further damage. In-store employees anticipate that these disruptions could persist for at least another week, leaving many customers frustrated amidst ongoing stock shortages.
Evaluating the Scattered Spider group reveals a unique operational structure. Unlike traditional hacking collectives, Scattered Spider does not function as a cohesive unit but rather as a loose assembly of individuals who vary with each attack. This fluid nature contributes to making them particularly difficult to track and apprehend. Their methods often include advanced social engineering techniques and the deployment of various strains of ransomware, including BlackCat ransomware.
Many members of this hacking group are believed to be native English speakers originating from Western Europe and the United States. Despite arrests of several individuals associated with Scattered Spider in both the U.S. and the U.K., the group remains active and continues to pose a significant threat to major organizations. The recent attack on M&S highlights their capacity for disruption and indicates that they remain a force to be reckoned with in the world of cybercrime.
In conclusion, the cyberattack on Marks & Spencer has sparked distress among consumers and investors alike, prompting a closer examination of cybersecurity measures within large corporations. As M&S works to restore services and mitigate the damage, the incident serves as a poignant reminder of the vulnerabilities many businesses face in an increasingly interconnected digital landscape.