M&S Cyberattack Disrupts Services — Ransomware Suspected

Marks & Spencer (M&S), one of the UK’s leading retailers, is grappling with the fallout of a major cyberattack that has disrupted its services for over a week. The incident has forced the company to pause online orders, created delays in Click & Collect services, and left visible gaps on store shelves. Industry experts increasingly suspect a ransomware attack — possibly involving the DragonForce group.

M&S initially disclosed the breach via a London Stock Exchange statement, describing it as “a cyber incident” and noting “minor, temporary changes to our store operations to protect customers and the business.” As disruptions continued, CEO Stuart Machin addressed customers via social media, saying the company was “working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible.”

In a further update published on April 25, M&S added, “Our experienced team — supported by leading cyber experts — is working extremely hard to restart online and app shopping.”

The BBC reported that the ransomware group DragonForce may be responsible, possibly in connection with the Scattered Spider gang — a cybercrime network previously linked to the 2023 MGM Resorts breach in Las Vegas. Ciaran Martin, founding chief of the UK's National Cyber Security Centre, called it “a pretty bad episode of ransomware,” adding that it’s “a highly disruptive event and a very difficult one for them to deal with.”

While some M&S services remain operational, the retailer’s website and app are only partially accessible. In-store contactless payments have been restored, but delays continue in fulfillment and payment systems. Cybersecurity experts warn that restoring complex retail infrastructure after a ransomware event can take significant time. Professor Alan Woodward of the University of Surrey commented, “Everything from knowing what has been sold — hence what needs replenishing — to taking card payments is very dependent on complex systems.”

Adding to broader cybersecurity concerns, a recent investigation revealed that over 14 million cookies belonging to UK users — some containing login credentials and authentication tokens — had been leaked onto the dark web, with 56% still active. While no direct link to the M&S breach has been established, the incident highlights growing vulnerabilities across the UK retail sector.

M&S has not yet confirmed whether customer data was compromised or identified the threat actors involved. In the meantime, cybersecurity professionals recommend that customers remain cautious and update any reused passwords as a precaution.