On April 17, 2025, Marks & Spencer, one of the UK’s largest and most popular retail names, was hit by a major ransomware attack. It’s been rumoured that the notorious Scattered Spider collective had a hand in this – the same group that many have theorised holds responsibility for the Harrods breach. Four arrests have been made in the UK, but for M&S, the story is still unfolding. The consequences of this data breach are set to echo through its operations, finances, and brand for months, if not years.
Who are Scattered Spider?
Scattered Spider (also known by aliases such as Octo Tempest, UNC3944, Muddled Libra, and Scatter Swine) is a collective of mainly young, English-speaking cybercriminals that have been active since 2022. They excel in social engineering, including phishing, domain impersonation, and posing as IT support to bypass multi-factor authentication, often targeting help desks and remote access systems.
Human error was M&S’ breach point
This wasn’t a case of a firewall failing or a server being left unpatched. The initial compromise has been confirmed to have come through social engineering. The attackers reportedly manipulated IT help-desk processes to reset credentials and bypass MFA. Once inside, they moved fast. By Easter weekend, customers saw the first signs: orders halted, payments refused and empty shelves.
The long journey to recovery
Recovering operations is one thing. Recovering trust can often take far more time. Here’s the recovery timeline of M&S so far:
- Online clothing and third-party brand sales were restored in June.
- Food delivery and click-and-collect only returned in July.
- Warehouse disruption forced temporary furloughs for around 200 staff, while in-store teams faced stock shortages.
The financial impact
The financial impact has been bruising to say the least:
- Over £1 billion was lost from M&S’s market value in the weeks after the breach.
- Operating profit for 2025/26 expected to drop by around £300 million.
- The Bank of America estimated that M&S was losing around £40 million per week since the breach hit.
M&S is pursuing a £100 million cyber insurance claim, but policy exclusions mean it’s unlikely to cover the full blow.
The damage to trust
Perhaps the hardest hit to measure is the one to customer confidence. M&S has shown their appreciation for customer patience and loyalty, restoring perks like birthday treats for 1.8 million customers and reinstating staff and contractor discounts.
However, in an era where consumers can swap retailers with a few taps, regaining momentum takes time. A survey of consumers was recently published, and its results speak volumes, as the number of those who would recommend M&S to other people declined from 87% before the cyber-attack to 73% after.
Why cyber resilience is not optional
This incident is now a board-level case study in why cyber resilience is a strategic imperative. As a matter of urgency, all organisations should implement:
- Zero-trust architectures to limit damage from a single compromised account.
- MFA-resistant authentication to overcome social engineering attacks.
- Independent, third-party security audits to catch blind spots before cyber criminals like Scattered Spider do.
- Vendor access controls that treat partners as potential attack points.
- Continuous employee training, as the weakest link is often human error.
What happens now?
Months on, most of Marks & Spencer’s systems are back online, with external cybersecurity partners now reinforcing its defences. Yet the £1.3 billion financial blow, coupled with lasting reputational damage, stands as a stark reminder of how a single breach can reshape the course of an organisation for years to come. The attack on M&S is more than an unfortunate event; it’s a warning for every board, in every sector. M&S’ chair has even called for mandatory cyberattack reporting, alleging that similar attacks have taken place with other large companies and they have not been reported.
In 2025, cyber resilience has evolved from an item on a compliance checklist to a core requirement that’s essential for business survival. This begins with educating your people.
If you’re unsure on where you currently stand in terms of where your knowledge/skills gaps are, take our cyber security assessment and get complete insight into your security posture.