Last Updated on May 29, 2025 by Deepanshu Sharma
Think about visiting your favorite store only to discover everything is out of stock, or attempting to order from the website to see that they don’t accept orders right now. Marks & Spencer, a well-known British retailer, saw that happen to their customers in the early part of 2025. It wasn’t only a technical problem or a time off for a holiday. The company experienced a cyber-attack so powerful that they had to take down their online shopping site for weeks, experience delayed deliveries, and force the staff to do their work manually.
Retail businesses everywhere must take note of this kind of attack. It demonstrates that cyberattacks may be powerful enough to halt large and reputable businesses. There is a lot of detail in the tale, but the lessons are straightforward. This blog will take you through the attack, the reasons it matters, and tips for business owners to protect themselves. You will learn about the attack and what steps you need to take immediately to protect your business.
What Happened to Marks & Spencer?
For months, Marks & Spencer did not realize it was being attacked on the internet. The hackers didn’t break into the company’s systems, but they fooled employees at a third-party contractor to allow access. Often, criminals use social engineering by pretending to be someone dependable to steal sensitive data or login details. The attackers in this case are thought to have sent emails that looked reliable, tricking a worker at the contractor into giving out their access information.
Once they were inside, the attackers hurried around. Important files were taken, among them was NTDS.dit, which stores all of the password hashes for users in the network. With the help of the cracked hashes, the hackers were able to penetrate every part of M&S’s digital systems. And finally, they released ransomware, which quickly locks user files and asks for payment to give access back to the files. DragonForce was the organization originally connected with this ransomware, but rumors also point towards Scattered Spider being involved. They are famous for having advanced techniques and for moving quickly once inside a network.
After the attack, M&S switched off numerous systems and stopped processing orders, access to goods, and applications. The company was required to put online sales on hold and revert to old processes. The result was warehouses with empty shelves, irritated customers, and major losses for the company. Stuart Machin, the CEO of M&S, estimated it would take until July to recover normal operations and announced the company would lose about £300 million due to the cyber-attack. Personal customer data, including names, addresses, and what they purchased, was also stolen in the attack. Luckily, the card details were not kept on the system and were therefore protected. Yet, the company advised its customers to reset their passwords and stay wary of phishing attacks.
Why Retailers Are a Prime Target?
Marks & Spencer and other retailers stand out to cyber criminals for several key reasons. They process a lot of customer data, such as names, addresses, phone numbers, and what they have purchased. Using this information, criminals can commit fraud, steal someone’s identity or put personal details up for sale on the dark web. Second, with many vendors used throughout their supply chains, retailers may have less effective security. Attackers realize that a momentary interruption can cause massive losses, which could easily be detected, so they prefer to either break in via third-party vendors or look for unnoticed security gaps.
Retailers are sometimes required to speed up their services, which sometimes leads them to bypass important security steps. As an example, employees might not have time to check emails carefully, which increases the risk of a phishing scam. And security measures at third-party vendors may not be the same as those at the main company. This leaves the system less resilient. Also, because retailers generally have many outlets and access points, it is difficult to protect their entire network.
Both Scattered Spider and DragonForce are highly threatening because they mix their skills with tactics that confuse others. They could try to imitate a familiar colleague in an email or use social media networks to gain knowledge about the company’s workers. When they get access, they act rapidly to take data or lock the system. They usually prepare their attacks carefully, and they keep finding ways to outsmart those people in charge of computer security.
What is the Impact of the Attack?
The costs of the M&S attack are extraordinarily significant. More than £1 billion was wiped off the company’s stock market value. For weeks, one of the main revenue lines for M&S, online sales, was closed down. There was more food waste since staff couldn’t keep track of stock, and the company had to handle billions of pounds of products manually. Customers continued to shop in the store, but many of them switched to other brands instead.
Yet, the losses extend past economic expenses. During the attack, private details of the customers, such as names, addresses, and what they purchased, were also leaked. As a result, customers may suffer from identity theft, fraud, and additional problems. Customers were encouraged by the firm to change their passwords and to stay vigilant for phishing messages, but restoring confidence is more complicated. Future sales at M&S may decline, and the company’s reputation has suffered.
The attack also greatly affected the employees. The pressure was on workers to keep the company going, and few got satisfactory information and guidance from the top. The company’s image suffered, so it will have to spend time restoring trust with customers and partners. It also revealed that being open and clear while managing a crisis and supporting employees is crucial.
How the Attack Unfolded Step by Step?
Initially, attackers only relied on a straightforward method to penetrate Marks & Spencer. Hackers used fake identities and false information to get control of the company’s systems through a third-party contractor. This method is popular as people are usually the easiest part to compromise in any security system. Most likely, the attackers used deceptive emails or texts to fool someone at the contractor to unwittingly hand over their credentials.
As soon as the hackers got in, they immediately began stealing critical files. The NTDS.dit file is very important since it keeps a list of every user’s password hash on the network. After cracking the hashes, the attackers opened a back door into all of M&S’s digital services. Then, they introduced ransomware that secured vital files and asked for a ransom in exchange. Experts believe that DragonForce was involved, but they also suspect that retailers were targeted by Scattered Spider, another well-known hacking gang.
Because of the attack, M&S turned off a number of its systems, including those for online buying, keeping inventories stocked, and managing job applications. Online sales had to be put on hold as the company returned to using manual solutions. Consequently, there were bare shelves, irritated customers, and major financial problems. During the attack, personal customer information, including names, addresses, and purchase histories, was taken. Fortunately, customer payment data did not get stored on the system. Yet, the company suggested that users reset their passwords and be vigilant for emails or texts from hackers.
Who Are the Attackers?
Although several groups are thought to be involved, DragonForce and Scattered Spider look to be the main suspects. Ransomware locking up files is associated with DragonForce, but Scattered Spider makes use of social engineering and phishing to attack companies. Both groups operate smoothly and use complicated techniques. Usually, cybercriminals aim to get into another firm, then use its connection to access the main company as quickly as they can.
Scattered Spider has most recently caught the media’s attention. Firms in the UK and the US have been targeted, and the hackers are now planning more frequent and advanced techniques. Attackers often use strategies that lead employees to give up their passwords or click on dangerous links, and it’s very difficult to spot them. Multi-factor authentication is also bypassed by such attackers, making it harder to fight them.
These people are not acting just by chance. These groups are financed well, highly organized, and very motivated. They tend to work with others, who are each responsible for their own operations. Some hackers are more interested in initial access, while others concentrate on taking data, moving across the network, or using ransomware. They are always finding new ways to bypass security teams.
What is The Role of Third-Party Vendors?
It is clear from the M&S attack that bringing in outside vendors can open doors to major risks. In this case, the attackers relied on the contractor’s system to reach M&S, which is a frequent problem for most companies.
In many cases, third-party vendors process confidential data and systems that are not as secure as those belonging to the actual business. For this reason, many hackers find it easy to attack them. Frequently, hackers come into a company through an attack on a vendor and then can move freely to harm the company.
Businesses must be sure that their vendors comply with strict safety guidelines. Officials should control what vendors are allowed to do and watch everything they do. Regularly conducting security audits and checks will ensure you’re ready for any attack. A well-defined agreement about security matters is essential.
The M&S attack teaches us that most security systems rely on people and it’s people who can be the biggest risk. The hackers were able to influence the workers at the contractor and after that, they could do a lot of damage.
That’s why providing training is essential. People at work should be taught to identify fishing emails and unreliable websites and know why sharing confidential information is risky. Proper training and discussion can help a lot in stopping attacks. Making sure that everyone feels responsible for security is an important part of running a company. So, companies should convince employees to inform them about anything suspicious.
In addition, companies should consider running regular phishing simulations and other tests to keep employees alert. These exercises can help identify weaknesses and provide opportunities for additional training. It’s also important to have clear policies and procedures for reporting and responding to security incidents.
How to Protect Your Business From Such Attacks?
There are a number of basic ways you can protect your company from cyber attacks after what happened to Marks & Spencer.
Your team should receive training first and foremost. Explain to everyone how phishing works and what examples they might come across online. Using this training can instruct employees on the risks they encounter most often at work. Team members in finance can be tricked by receiving false invoices and personnel in HR by receiving fake job resumes.
It’s important to properly check your vendors, too. Always check the security steps used by third-party vendors before choosing to work with them. Restrict who can access your system and be sure to watch their activity. Checking the security of your system regularly helps you find risks before criminals do.
Keeping an eye on and reviewing everything is essential. Incorporate tools that let you see who is visiting what, and be on the lookout for anything strange. If you keep good logs, you will notice problems sooner and be able to handle them early on. It’s helpful to create set policies and procedures for how to deal with security issues.
Another important thing to do is to plan for the worst. Write a clear incident response plan and continue to practice it often. Make backups of your data so you can get it back if something happens to your files. Adding cyber insurance is a smart move, but it shouldn’t be your only way to protect yourself.
The final move is investing in advanced security tools. These tools use advanced analytics to check if users and devices are trustworthy and can spot unusual behavior that might signal an attack.
How Lepide Helps Businesses Stay Secure?
Lepide offers tools that make it easier to prevent the kind of cyber attack seen at Marks & Spencer.
Lepide Auditor keeps you informed in real time if any suspicious activity takes place. It monitors files, permissions and user actions, so you can detect threats before they become a big concern. By using Lepide Auditor, you have visibility over all access rights and can move fast in case of problems. This tool is straightforward to operate and delivers comprehensive reports so you can see all the details on your network.
In addition, Lepide Trust takes it a step further. Advanced analytic tools help it examine whether devices and users are reliable and recognize unusual actions that may be a warning sign of an attack. For example, if someone attempts to access confidential information or move across your network improperly, it can warn you before any damage is done. You can use the solution to alert you well ahead so that threats don’t damage your system. Lepide equips you with tools that help you find, handle and prevent cyber threats, well in advance.
Conclusion
The attack against Marks & Spencer demonstrates that cyber attacks can happen to any company. The harm to a business’s finances and reputation can be great, and it takes a long time to come back. If you stay updated, use the proper security systems, and encourage all employees to pay attention, you can defend your business and your customers from upcoming attacks.
Don’t postpone action until you think you have a crisis. Don’t wait; put cybersecurity at the top of your list due to the example set by M&S. The information and resources you require are accessible. Staying cautious and taking action can help you keep your business protected as risks online keep increasing.