British retailer Marks & Spencer (M&S) has been grappling with a significant cyberattack, reportedly orchestrated by the hacking group Scattered Spider. The incident has disrupted operations across the company’s UK stores and online platforms.
Attack Overview
The cyberattack, identified as a ransomware incident, has been linked to Scattered Spider, a group known for targeting major corporations. The hackers allegedly infiltrated M&S’s systems in February 2025, extracting the NTDS.dit file—a critical component of Windows Active Directory that stores user credentials. This breach enabled the attackers to access and encrypt the company’s servers using the DragonForce ransomware variant.
Operational Impact
As a result of the attack, M&S has faced widespread disruptions:
- Online Services: The retailer suspended online orders and click-and-collect services, affecting a significant portion of its sales.
- In-Store Operations: Contactless payment systems were taken offline, and some stores experienced limited food availability.
- Workforce Adjustments: Approximately 200 agency staff at the Castle Donington distribution center were instructed to stay home due to operational challenges.
Financial Repercussions
- Revenue Loss: The disruption in online sales is estimated to have cost the company approximately £3.8 million per day.
- Market Valuation: M&S’s market value reportedly declined by nearly £700 million following the incident.
Response and Investigation
M&S has engaged cybersecurity firms, including CrowdStrike, Microsoft, and Fenix24, to investigate and mitigate the breach. The company has also reported the incident to the UK’s National Cyber Security Centre and the Information Commissioner’s Office.
While it remains unclear whether M&S has paid or intends to pay a ransom, industry experts caution against such actions, citing potential long-term risks and the possibility of encouraging further attacks.
About Scattered Spider
Scattered Spider, also known as Octo Tempest, is a hacking group comprising individuals primarily from the US and UK. The group has been active since at least 2022 and is known for employing sophisticated social engineering techniques, including phishing and impersonation, to infiltrate corporate networks. They have previously targeted major companies, such as MGM Resorts and Caesars Entertainment.
Ongoing Developments
M&S continues to work towards restoring its systems and services. Customers are advised to remain vigilant against potential phishing attempts exploiting the situation. The company has not provided a specific timeline for the full resumption of its operations.