British retail chain Marks & Spencer (M&S) has confirmed that customer data was stolen in a cyberattack that has severely disrupted its digital operations for more than three weeks.
The attack began over the Easter weekend and caused widespread problems. Online services were suspended, and product availability in stores was affected.
Customer Information Stolen
M&S revealed that attackers accessed personal information of its customers. The stolen data includes names, home and email addresses, phone numbers, dates of birth, and online order history.
Chief Executive Stuart Machin said there is “no evidence that the information has been shared” so far. However, cybersecurity experts warn that this could change in the future.
The company stressed that payment card details and account passwords were not compromised. M&S stores limited payment information, making any stolen financial data unusable. Still, as a precaution, all online customers will be asked to reset their passwords when they next log in.
DragonForce Ransomware Group Responsible
According to the BBC, the ransomware group DragonForce is behind the attack. This group has also targeted other UK retailers, including Co-op and Harrods.
DragonForce uses a double extortion method. They encrypt files and steal data to pressure victims into paying a ransom. They operate as a Ransomware-as-a-Service (RaaS), allowing affiliates to launch attacks on their behalf.
Security analysts believe the hackers may have gained initial access through social engineering. They likely tricked IT helpdesk workers into resetting passwords or granting access. Reports suggest that the hacker group Scattered Spider, known for targeting UK and US firms, may have been involved as well.
One key part of the attack was the possible theft of the NTDS.dit file, a critical database holding user credentials and password hashes. With this file, attackers could move freely across M&S’s network.
This method matches DragonForce’s known tactics, which include exploiting valid user accounts and modifying registry settings to maintain access.
Heavy Financial Impact
The cyberattack has caused significant financial damage. M&S’s share price dropped by around 11%, wiping over £1 billion from its market value.
Online shopping remains unavailable after nearly a month. Some physical stores are still facing stock issues, as IT systems were taken offline to prevent further damage.
M&S has notified all 9.4 million active online customers about the breach. The company is working with the National Crime Agency (NCA), National Cyber Security Centre (NCSC), and the Metropolitan Police to investigate the incident.
Security Advice for Customers
M&S said customers do not need to take immediate action. However, cybersecurity experts advise people to stay alert for phishing attempts. Attackers could use the stolen information to send fake messages pretending to be from M&S.
Customers should be cautious with unexpected emails or texts. They are urged not to click on suspicious links and to verify the sender’s identity.
Growing Ransomware Threats
This incident shows the increasing danger of ransomware attacks. It highlights the need for strong cybersecurity measures, especially for companies handling large amounts of customer data.
M&S continues efforts to restore its services, but no timeline for full recovery has been announced.
