Marks & Spencer Cyber Incident Linked to Ransomware Group

British multinational retailer Marks & Spencer has been struggling with a cyber incident for over a week, leaving customers frustrated and concerned about their personal data. In recent days, multiple sources have confirmed that the "cyber incident" is indeed a ransomware attack, perpetrated by an unnamed criminal gang.

The Telegraph's sources claim that the attackers, believed to be members of the Scattered Spider hacking group (also known as Octo Tempest), deployed ransomware on April 20, 2025. Bleeping Computer's sources corroborate this, stating that the attackers used the DragonForce encryptor to lock M&S's virtual machines on VMware ESXi hosts.

Marks & Spencer publicly confirmed the ongoing attack on April 22, 2025, by formally notifying the London Stock Exchange and its customers. The company stated that it had engaged external cyber security experts to assist with investigating and managing the incident, reported the incident to data protection supervisory authorities and the National Cyber Security Centre, and made "minor, temporary changes" to their store operations to protect customers.

The effects of the attack have been felt by customers: online orders have been suspended, contactless payments and gift card redemption were temporarily impossible, some orders went undelivered, refunds were delayed, and the customer reward scheme was paused. Despite efforts to mitigate the damage, many customers are left waiting for the problems to clear up to continue doing their online shopping.

The company has yet to provide a clear timeline for when the issues will be resolved, leaving customers wondering about the extent of the attack and whether their personal data was compromised. M&S did not comment on whether customer information, including personal and payment details, was affected, only stating that there is "no need for [customers] to take any action."

Security researcher Kevin Beaumont noted that Marks & Spencer had been pulling its internet-exposed VPN endpoints and other external services offline since April 20. He warned that the attackers likely extracted encrypted passwords from employee accounts, cracked the encryption, and used the account credentials to gain access to the company's Windows domain.

Beaumont also pointed out that Bleeping Computer's sources indicate that Scattered Spider (or Octo Tempest) is behind the attack. This group specializes in phishing, social engineering, MFA prompt bombing, and SIM swapping attacks, often collaborating with ransomware groups like DragonForce ransomware-as-a-service (RaaS).

DragonForce has been around since August 2023 and provides tools and services to its affiliates for a percentage of the paid ransom. M&S customers should be vigilant for phishing emails and messages impersonating the company, as scammers will likely try to capitalize on this high-profile breach.

"Customers should be on the lookout for fake notifications saying their account or payment information has been compromised and that they have to verify the account or info by entering it into a lookalike phishing site," Beaumont warned. "Fake alerts about problems with refunds, and other issues will also likely appear."

As the situation continues to unfold, customers can stay informed about the latest developments and subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats.