Hackers infiltrated Marks and Spencer’s (M&S) systems for up to 52 hours before the cyber attack was discovered, insiders revealed. The attack, attributed to the Scattered Spider group, involved using a contractor to access the retailer’s advanced IT systems.
Three weeks after the breach, M&S continues to face disruption, with staff working long hours to resolve the crisis. The attack has caused the company to lose around £1 billion in stock market value.
A source told The Times the breach was due to a “human error” that led to a “colossal mistake.” During the attack’s five-day active phase, hackers remained undetected while crisis teams worked to protect the business, which serves up to 9.4 million active customers.
Hackers accessed masked payment card details-typically the last four digits-and possibly other personal data such as names, email and postal addresses, phone numbers, dates of birth, order history, and household information.
While it’s unclear how many customers were affected, many have reported a surge in scam messages impersonating M&S. The company urged customers to be cautious and avoid sharing personal details with unknown callers.
M&S operations director Jayne Wall reassured customers that no usable payment card or password data was stolen. She warned customers to be alert to phishing attempts, noting the company will never ask for passwords or personal account information.
Experts warn stolen data could still be exploited and possibly leaked. Rafe Pilling, director of intelligence at Sophos, said hackers may leverage the breach data for further attacks.
The Scattered Spider group, known for targeting UK and US retailers, reportedly used DragonForce ransomware tools in this attack. The group is known for sophisticated social engineering and third-party access tactics.
M&S chief executive Stuart Machin and chairman Archie Norman are expected to face scrutiny over the company’s cyber defenses. Analysts warn 2025 could be one of the retailer’s worst years due to the attack’s financial and reputational impact.
The UK Information Commissioner’s Office is investigating the incident alongside a similar attack on M&S competitor Co-op, which also suffered data breaches and operational disruptions.
The National Crime Agency is working with partners to investigate both incidents, considering possible links between them.
