Inside the Marks & Spencer Cyberattack: Technical Analysis and Timeline

TL;DR

• What Happened? - In early 2025, Marks & Spencer (M&S) was hit by a major ransomware attack that disrupted online orders, in-store systems, and internal operations.
• How They Got In - Attackers used social engineering to trick a third-party help desk into resetting credentials and disabling MFA, bypassing security without phishing or software exploits.
• Technical Exploits - Once inside, hackers stole the Active Directory NTDS.dit file, cracked passwords offline, escalated privileges, and moved laterally across the network undetected.
• The Ransomware - Around Easter, they launched DragonForce ransomware on critical systems — especially VMware ESXi servers — locking out key services like online shopping and stock management.
• Data Stolen - Attackers exfiltrated personal data: names, addresses, DOBs, email, partial card info, and shopping history. M&S forced password resets and notified affected customers.
• Threat Actors - Believed to be Scattered Spider, an English-speaking social engineering group using DragonForce as part of a ransomware-as-a-service operation.
• M&S Response - Worked with CrowdStrike and Microsoft to investigate and rebuild. Online services were down for weeks. The attack cost an estimated £100–300 million in damages.
• Key Lessons - Vet third-party access. Harden help desk procedures. Monitor AD for suspicious activity. Implement layered defences. Practice breach simulations.

---

Attack Overview and Initial Breach

In April 2025, British retail giant Marks & Spencer (M&S) suffered a major cyberattack that severely disrupted its operations. The incident was ultimately confirmed to be a ransomware attack, paralysing M&S’s online shopping systems and affecting in-store services. Investigations revealed that the breach likely began weeks earlier, as far back as February 2025, when attackers stealthily gained access to M&S networks. The initial intrusion did not exploit a software vulnerability in the traditional sense - instead, it exploited human trust. Attackers impersonated an authorised person and social-engineered an IT service desk (reportedly a third-party contractor’s help desk) into resetting credentials and disabling multi-factor authentication, giving the hackers their foothold in the network. M&S’s CEO later confirmed the entry point was via a third-party partner and “human error” through social engineering, stressing that the company’s own infrastructure wasn’t simply left open by under-investment. This help-desk impersonation tactic is a hallmark of the threat group involved, allowing the attackers to bypass perimeter defences without needing phishing links or software exploits.

Once inside M&S’s IT environment, the attackers moved methodically. They targeted Active Directory, extracting the Windows domain controller’s NTDS.dit database - a “crown jewels” file that stores hashed passwords for all users in the domain. With this file in hand, the attackers cracked the password hashes offline, yielding a collection of valid credentials (including administrative accounts) for M&S systems. Armed with these credentials, they could quietly escalate privileges and laterally traverse the network using legitimate admin tools, remaining under the radar. Over a period of weeks, the intruders are believed to have stolen sensitive data and positioned themselves to inflict maximum damage just before the attack became public.

Systems Compromised and Ransomware Deployment

By the Easter weekend of 2025, the attackers unleashed the final stage of their plan by deploying ransomware across M&S’s infrastructure. Specifically, the “DragonForce” ransomware (a relatively new ransomware-as-a-service strain active since late 2023) was used to encrypt systems. The hackers targeted VMware ESXi virtual machines hosting critical servers, swiftly scrambling data and locking M&S out of core systems. This encryption of servers and VMs caused immediate outages: M&S’s online retail platform was brought down, and many internal processes ground to a halt. The attack struck on April 22, 2025, forcing M&S to stop accepting online orders and triggering emergency incident response measures. In the days that followed, M&S confirmed it had taken parts of its IT environment offline as a precaution to contain the spread of malware and protect interconnected partners and suppliers.

Customer-facing and operational systems were heavily impacted. In stores, for example, contactless payment systems were knocked out for at least 72 hours following the breach. The “Click & Collect” service (where customers buy online and pick up in store) was also rendered inaccessible. M&S temporarily suspended all new online orders, displaying maintenance messages on its website and apps. Inventory and supply-chain systems were disrupted as well - some food halls saw empty shelves or incomplete stock assortments because distribution systems had been taken offline for safety. Even ancillary services like gift card processing and online job application systems were affected or shut down as a result of the attack. In short, the ransomware’s encryption of critical servers had a cascading effect on both digital and physical retail operations.

Beyond the IT systems, the attackers also exfiltrated a significant amount of data prior to encryption. On May 13, M&S publicly confirmed that some personal customer information was stolen during the breach. According to an FAQ published by the company, the compromised data included:

• Contact information: full names, home addresses, phone numbers, and email addresses
• Personal details: dates of birth and household demographic information
• Shopping records: customers’ online order histories and loyalty program references (e.g. Sparks Pay reference numbers)
• Obscured payment info: “masked” payment card details (partial card numbers) - note that no usable card numbers or CVV data were stored or taken

M&S stated that account passwords were not compromised in this attack (passwords were not stored in plain text on those systems). However, as a precaution, the retailer forced password resets for all online customer accounts and advised users to be vigilant of phishing attempts leveraging their leaked data. There was no immediate evidence that the stolen customer data had been circulated or sold on the dark web, but M&S worked with authorities to monitor for any such signs.

Security Vulnerabilities and Exploited Weaknesses

Notably, the attackers did not rely on unpatched software vulnerabilities or zero-day exploits to breach M&S. Instead, the breach underscores the exploitation of procedural and human security gaps. The weakest link was the help desk verification process: by successfully duping an IT support desk employee, the attackers obtained legitimate credentials and even got multifactor authentication turned off, effectively sidestepping technical defences. This social engineering ploy took advantage of insufficient identity verification - for example, help desk staff may have accepted a phone call at face value without rigorous checks, illustrating a human-factor vulnerability. The UK’s National Cyber Security Centre (NCSC) later highlighted this incident as a wake-up call for businesses to tighten their service desk procedures to prevent unauthorised password resets or MFA resets via impersonation.

Once inside, the attackers also leveraged misconfigurations or inherent weaknesses in network architecture. Gaining Active Directory domain admin access (through the stolen NTDS.dit) gave them broad, trusted access across systems, essentially turning M&S’s own infrastructure against itself. The fact that the intruders could exfiltrate the entire AD database suggests that network segmentation and monitoring may have been insufficient - they were able to access a domain controller and pull sensitive files without immediate detection. Additionally, the lack of egress restrictions or anomaly detection allowed large-scale data exfiltration (including customer data dumps) to occur covertly before the ransomware detonation. In summary, the “vulnerabilities” exploited were primarily human and process-based, compounded by the potent access gained through Active Directory exploitation. Traditional endpoint security might have flagged malware, but in this case the final payload was launched using legitimate credentials and an allow-listed admin path, making it harder to catch until the damage was done.

The ransomware used, DragonForce, is an emerging threat itself. DragonForce is a ransomware-as-a-service (RaaS) operation that launched around December 2023. It operates an affiliate model - essentially a “franchise” where different cybercriminal teams can deploy the DragonForce malware in exchange for a profit share with the ransomware developers. In this attack, DragonForce was used to encrypt M&S’s VMware ESXi servers and other systems, after the attackers had already stolen data for extortion leverage. The choice to target ESXi hypervisors is consistent with maximising impact: by encrypting virtualisation hosts, the attackers could simultaneously disable many critical servers (online store, databases, logistics systems, etc.) with one stroke. DragonForce’s encryption rendered data inaccessible, and like typical ransomware, the attackers presumably left ransom notes or demands. (As of the latest updates, M&S has not disclosed details of any ransom amount or negotiations - the company focused on restoring systems from backups and hardening security rather than publicly discussing payment.)

Suspected Threat Actors and Their Tactics

Scattered Spider is the name being linked to this cyberattack. Scattered Spider (also tracked under aliases like UNC3944, Octo Tempest, 0ktapus, or Muddled Libra by various security firms) is not a single monolithic gang but rather a loose collective of threat actors known for a common set of techniques. They are an English-speaking group of (often young) hackers notorious for social engineering mastery - precisely the kind of help-desk impersonation and credential theft seen in the M&S breach. In past incidents, Scattered Spider actors have used tactics like phishing employees (especially targeting single sign-on portals), SIM swapping to hijack phone numbers for OTP bypass, MFA fatigue attacks (bombarding users with authentication prompts), and calling IT support posing as internal staff. Their goal is typically to obtain valid credentials and MFA access, then escalate privileges to carry out data theft and ransomware deployment for extortion.

Investigators believe the M&S attack matches Scattered Spider’s modus operandi. Reports indicate the hackers behind M&S’s breach were affiliates working with the DragonForce ransomware operation, and their social engineering techniques mirror those of Scattered Spider (which was infamously behind the Sept 2023 MGM Resorts breach using similar help-desk tricks). In fact, law enforcement and cyber responders in the UK homed in on a group of teens and young adults as the prime suspects, consistent with Scattered Spider’s known composition. The BBC reported that the cybercriminals themselves (communicating under the DragonForce name) claimed responsibility not only for M&S but also for a concurrent ransomware attack on the Co-op supermarket chain and an attempted hack of Harrods department store. This suggests the same threat actor cell was running a broader campaign against UK retailers in that timeframe.

Scattered Spider’s tactics, techniques, and procedures (TTPs) in the M&S case included:

• Initial access via social engineering - exploiting a third-party contractor’s access by impersonating an IT staff member and tricking a service desk employee.
• Privilege escalation and credential theft - using reset credentials to infiltrate Active Directory, then dumping password hashes (NTDS.dit) and cracking them to gain widespread login access. They likely also harvested session tokens or leveraged admin tools (e.g. Windows utilities, RDP) to move between systems.
• Stealth and persistence - maintaining access for weeks, possibly via web shells or scheduled tasks, and quietly exfiltrating data. They took care to disable security controls (like MFA on targeted accounts) and avoid detection by blending in with normal IT activity.
• Data theft for double-extortion - stealing customer and internal data to later pressure M&S. By the time ransomware was deployed, they had already secured archives of sensitive data off-site. (The group boasted of stealing millions of customer records in related attacks, per news reports.)
• Ransomware deployment (execution phase) - launching the DragonForce encryptor on critical servers, notably ESXi hypervisors, to encrypt virtual machines at scale. This was timed for maximum disruption, hitting around a busy retail period (Easter) to increase pressure. The attackers then likely issued a ransom demand along with threats to leak stolen data if unpaid (a hallmark of modern ransomware operations).

This combination of high-tech know-how (AD exploitation, VM encryption) and low-tech trickery (social engineering calls) is characteristic of Scattered Spider’s playbook. The group’s boldness is also evident - by targeting household-name companies like M&S and openly bragging to media, they seek notoriety alongside profit. UK authorities and cyber experts have noted that Scattered Spider affiliates collaborate with established ransomware gangs in a profit-sharing model, bridging English-speaking social engineers with predominantly Russian-developed ransomware tools. In the M&S attack, this manifested as the English-speaking hackers using the DragonForce “franchise” to carry out the extortion.

M&S’s Response and Mitigation Efforts

M&S acted swiftly (and transparently) once the cyberattack was discovered. On April 22, the company filed a public disclosure with the London Stock Exchange, notifying investors of a “cybersecurity incident” and announcing that external cybersecurity experts had been engaged to help contain and investigate it. M&S brought in top-tier incident response firms - reportedly including CrowdStrike, Microsoft’s DFIR team, and Fenix24 - to work alongside their IT staff in analysing the intrusion and restoring services. In the immediate aftermath, proactive containment measures were taken: certain systems were taken offline (to stop the malware’s spread), and as mentioned, online ordering was completely paused by April 25th as a precaution. The company communicated these steps to customers via its website banner, social media, and emails, apologising for the inconvenience and emphasising that stores remained open for shopping in person.

Once forensic analysis confirmed the scope of data theft, M&S moved to notify affected customers. CEO Stuart Machin posted a public letter (on the company’s Facebook page and website) on May 13, informing customers that some personal data had been taken but reassuring them that payment card details and passwords were not exposed. The company’s notice and an FAQ outlined exactly what data was compromised (as detailed earlier) and warned customers to be vigilant against any phishing emails, calls, or texts that might use their personal info. M&S explicitly stated it would never contact customers asking for passwords or sensitive info, urging people to report any suspicious communications. Additionally, all users were required to reset their M&S account passwords at next login, a measure designed to invalidate any credentials that might have been stolen (even though M&S said they believed passwords weren’t leaked, it was a “peace of mind” step). The company also likely rolled out internal password resets and improved security for employee accounts, given the attackers had harvested internal credentials.

On the technical mitigation side, M&S and its partners undertook a comprehensive cleanup: rebuilding infected servers, restoring data from backups, and carefully scanning for any backdoors or persistence mechanisms left by the hackers. Given the breach stemmed from a third-party connection, M&S also reviewed access controls for vendors and improved authentication processes - for example, the NCSC recommended tightening help desk verification procedures, which presumably M&S has adopted (such as requiring additional identification before honoring password reset requests). In public statements, M&S’s leadership stressed that they were “working hard to restore services and minimise disruption,” with support from “industry-leading experts” in cybersecurity. They coordinated with law enforcement agencies (including the NCSC and potentially the National Crime Agency) to investigate the criminals behind the attack.

Another aspect of M&S’s response was financial mitigation. The company indicated it would leverage its cyber insurance policies to offset losses - reports suggested M&S could claim up to £100 million from insurers to cover the damages. These damages were substantial: by late May, M&S estimated the attack had cost it ~£30-40 million in lost sales within weeks, and it projected a total hit of around £100-300 million to its year-end profit due to prolonged disruption. The firm’s share price dropped over 10% in the aftermath, reflecting investor concern. However, M&S stated it was actively managing costs and expected insurance to cover a significant portion of the immediate losses. Stuart Machin (CEO) framed the incident as a challenge from which M&S would “emerge stronger,” even suggesting that it provided an impetus to accelerate upgrades to their systems and security architecture.

Crucially, M&S did not rush back online at the expense of security. The company kept its online operations partially offline for several weeks to thoroughly sanitise systems. In a mid-May update, M&S told customers that some online shopping functionality would start to return in June, and full operations (including back-end workflows) would remain disrupted until July 2025 as they safely rebuilt the network. This measured restoration timeline underscores that M&S prioritised a careful recovery over a hasty one, aiming to ensure the attackers were fully evicted and no residual malware remained. By early July, reports indicated that online orders had indeed resumed after the extended downtime, with additional safeguards in place. M&S also undoubtedly conducted a post-incident review to glean lessons - for example, improving network segmentation, instituting stricter privileged access management, and enhancing employee security training (especially for IT support staff) to prevent a similar breach in the future.

Timeline of Key Events

• February 2025: Initial Breach. Attackers gain a foothold in M&S’s IT systems, possibly via a compromised third-party vendor (logistics partner) account. Social engineering is used to impersonate an insider and obtain login credentials the intruders quietly exfiltrate the Active Directory NTDS.dit database, stealing password hashes for the entire domain. They spend the next several weeks expanding access and extracting data without detection.
• April 21-22, 2025: Ransomware Detected. Around the Easter weekend, the attackers execute the DragonForce ransomware across M&S’s network. Key servers and VMware ESXi hosts are encrypted, causing system outages. M&S’s IT team and security partners respond to contain the incident. On April 22, M&S publicly discloses a cyber incident via a London Stock Exchange filing, and begins notifying stakeholders that certain services are down.
• April 23-25, 2025: Service Outages and Response. M&S takes drastic containment measures. By April 25, the company suspends all new online orders on its website and app, displaying notices that online shopping is paused. It confirms that in-store contactless payments and Click & Collect services have been disrupted by the attack, and some processes were taken offline deliberately to protect the wider business. M&S brings in external cyber forensics and recovery experts (e.g. CrowdStrike, Microsoft) to assist. The incident makes headlines as one of the most severe cyberattacks on a UK retailer to date.
• Late April - Early May 2025: Investigation and Attribution. Cybersecurity investigators piece together the attack vector. BleepingComputer reports that the breach was likely carried out by the Scattered Spider collective using help-desk social engineering, and that the DragonForce ransomware group’s malware was deployed. The UK NCSC issues guidance urging companies to review their help desk security processes in light of this incident. M&S and fellow victim Co-op decline detailed comment during the investigation. Meanwhile, the attackers themselves (using the name DragonForce) tell BBC reporters that they were behind the M&S attack (as well as attacks on Co-op and an attempted intrusion at Harrods) - essentially claiming responsibility and showcasing the breadth of their campaign. Law enforcement becomes involved as the hunt for the perpetrators ramps up.
• May 13, 2025: Customer Data Breach Confirmed. After forensic analysis, M&S confirms that customer data was stolen in the cyberattack and begins customer notifications. CEO Stuart Machin publishes an open letter explaining what information was taken (names, contacts, birthdates, etc., but no full card details or passwords). M&S invalidates all customer passwords, forcing a reset on next login as a precaution. Customers are advised to be wary of scams or phishing attempts using their data. The company reiterates that it is working “night and day” with cybersecurity experts to restore normal operations.
• May 21, 2025: Impact Assessment and Additional Details. In a press briefing and investor update about a month post-attack, M&S’s chief executive sheds more light on the cause, attributing it to a third-party contractor’s compromised access via social engineering (“human error”). M&S reveals the financial toll: roughly £3.5 million in sales lost per day of online outage (analysts estimate ~£30 million lost in the first month). They project total costs up to £100-300 million for the incident, though insurance and mitigation efforts will offset some of this. M&S announces that, while progress is being made in recovery, online shopping will remain partly offline until June and fully back by July - confirming a lengthy disruption unprecedented for the company. (By mid-June, M&S gradually reopened its online storefront, and by early July it reported that online orders were functioning again, marking the end of the immediate crisis.)
• Post-July 2025: Ongoing Aftermath. In the following months, M&S continues to work with authorities on the criminal investigation. Attention turns to regulatory follow-up - the UK Information Commissioner’s Office (ICO) and other regulators assess whether proper data protection measures were in place and if any fines are warranted, given that personal data was compromised. M&S doubles down on cybersecurity improvements internally, learning from the hard lessons of this attack. The incident also sparks industry-wide action: retailers across the UK heighten their cyber defences, especially around third-party access and help-desk authentication, to avoid becoming the next victim of the Scattered Spider tactics.

Sources: M&S public statements and FAQ, news reporting by BBC, Reuters, BleepingComputer, The Guardian, and security analyses. These confirmed reports provide a detailed picture of how the attack unfolded, the systems and data affected, the threat actors and methods involved, and how Marks & Spencer responded to one of the most disruptive cyberattacks in recent UK retail history.

---

Key Lessons for SMEs

1. Third-Party Risk Is Business Risk
   Review partner access policies. Require MFA, access logs, and breach notifications from vendors.

2. Protect the Helpdesk
   Train staff to verify identity and escalate suspicious access requests. Use secure verification protocols.

3. Monitor Directory Services
   Watch for unusual LDAP queries, privilege changes, and NTDS.dit access attempts.

4. Layered Ransomware Defence
   Combine endpoint detection, immutable backups, and network segmentation.

5. Regular Breach Drills
   Test how your business would respond to a ransomware attack. Include legal, PR, and operations.

---

How The Web People Can Help

At The Web People, we understand that cyber threats don’t just target big retailers. Small and medium-sized businesses are often more vulnerable — and less prepared.

We offer security solutions through PAX8 partners including:

• SentinelOne and Microsoft Defender for AI-powered endpoint protection
• CrowdStrike for threat intelligence and behavioural detection
• Breach Secure Now for employee training and risk scoring
• IronScales for phishing and email protection
• Bitdefender for layered antivirus and anti-ransomware protection

If you're unsure how secure your infrastructure is, now’s the time to act.

---

Final Word

The Marks & Spencer hack serves as a case study in how even well-funded companies can fall prey to determined attackers. For small businesses, the takeaway is urgent: don't wait until after an attack to think about cybersecurity.

Book a consultation today — and take the first step in securing your future.