Cyber Incident Victim: Marks and Spencer
Date:
Apr 2025
Location:
United Kingdom
Summary
Marks & Spencer experienced a cyber incident involving ransomware that disrupted its online and in‑store operations, forced the suspension of click‑and‑collect and gift‑card processing, and led to manual workarounds that left shelves bare. The attack wiped a substantial portion of profit despite an insurance payout, contributed to a decline in fashion, home and beauty sales, and prompted the retailer to notify regulators, engage external security experts, and see senior technology leaders depart months later.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In earlyApril 2025, Marks & Spencer reported a cyber incident affecting its Click and Collect service and its ability to process contactless payments. Customers experienced delays and took to social media to complain about the disruption. The company also confirmed that gift card and voucher usage in stores was impaired. Chief executive Stuart Machin apologised to customers and said the firm had been forced to make small changes to store operations to protect the business and its shoppers. Marks & Spencer notified the Information Commissioner's Office and reported the incident to the National Cyber Security Centre. The retailer engaged external cyber security experts to assist with investigation and management. It stated that it was working to resolve the limited delays to Click and Collect orders and to restore gift card processing. No further details about the nature of the incident were provided at that time.
Later disclosures identified the April incident as a ransomware attack carried out by the hacker group known as Scattered Spiders. The attack wiped approximately £229 million from Marks & Spencer’s profits, even though the company received a £100 million insurance payout. Online order processing was suspended for six weeks as a result of the disruption. Automated stock and logistics systems were shut down, prompting stores to revert to manual processes. The shift to manual operations left shelves bare in many locations. Sales in the Fashion, Home & Beauty divisions fell by 16.4% over the six‑month period leading up to 27 September 2025. In its January 2026 financial report, Marks & Spencer recorded group sales that rose 24.2% to nearly £5 billion. However, like‑for‑like clothing sales declined, which the retailer attributed to the long‑tail effects of the cyber‑attack.
Nine months after the attack, the company’s chief technology officer, Josie Smith, announced her departure, having been in the role for 18 months. Four months prior to Smith’s exit, Rachel Higham, the chief digital and technology officer, also left the business. No formal reasons were given for either departure in the internal communications. The article notes that other UK retailers such as Harrods, Co‑op and Jaguar Land Rover experienced significant disruption from cyber‑attacks in the same period. Research cited by Cohesity indicated that seventy‑one percent of UK businesses paid a ransom to cybercriminals in the previous year, while nearly half of British firms still considered their cybersecurity watertight. The average UK ransom payment was reported to be around £1,051,000. These details illustrate the broader impact of the incident on Marks & Spencer and the retail sector.