Cyber Incident Victim: Marks and Spencer
Date:
Jan 2025
Location:
United Kingdom
Summary
A cyberattack attributed to the Scattered Spider group using DragonForce ransomware severely impacted multiple UK retailers, including Marks & Spencer, through sophisticated social engineering and compromised third-party credentials. The incident involved prolonged network reconnaissance before ransomware deployment, resulting in substantial financial losses and operational disruptions, with one retailer facing £300 million in damages and extended system rebuilding efforts. The attacks were identified as targeted rather than opportunistic, exploiting the sector's broad attack surface and limited IT budgets, prompting industry-wide enhancements in crisis communications, digital transformation, and specialized security teams focused on employee awareness and third-party risk management.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2025, the Scattered Spider cybercrime group executed a series of ransomware attacks against major UK retailers, including Marks & Spencer, the Co-op, and Harrods. The attackers deployed DragonForce ransomware after infiltrating target networks through sophisticated social engineering techniques and the compromise of third-party credentials. Following initial access, the threat actors conducted prolonged reconnaissance within the affected environments to map systems and identify critical assets before activating the ransomware payload. Marks & Spencer suffered particularly severe operational disruption, with estimated financial losses reaching £300 million due to extended system downtime. The retailer was forced to undertake a months-long rebuilding process of its compromised infrastructure, significantly impacting business continuity. The Co-op incurred £206 million in losses but experienced comparatively less severe operational disruption due to its more advanced migration from legacy systems to cloud-based infrastructure prior to the attack.
The incidents triggered parliamentary hearings and industry summits examining sector-wide vulnerabilities, with experts noting retailers' combination of vast digital attack surfaces and constrained IT budgets made them attractive targets. River Island's Chief Information Security Officer Sunil Patel characterized the attacks as meticulously targeted operations rather than opportunistic incidents. In response to the attacks, Marks & Spencer focused on system restoration while other retailers including Holland & Barrett and AllSaints implemented enhanced crisis communication protocols. Several organizations accelerated digital transformation initiatives and established specialized "people security" teams dedicated to improving employee cybersecurity awareness and strengthening third-party risk management frameworks. The collective financial impact across affected retailers amounted to hundreds of millions in losses, establishing the incident wave as a catalyst for operational reassessments throughout the UK retail sector.