Marks & Spencer (M&S), one of the UK’s most prominent retail chains, has confirmed that a sophisticated cyber attack has compromised personal customer data and caused severe disruption to its online operations. The incident, which began in late April, has left the company’s website and app offline for over three weeks, crippling its ability to process online orders and affecting a significant portion of its business. While M&S’s 1,000 physical stores remain open, the retailer is grappling with the aftermath of what is being described as a ransomware attack carried out by a highly skilled criminal group.
The breach, which coincided with the launch of new seasonal collections and warm weather across the UK, has already led to a sharp 15% drop in M&S’s share price. Analysts estimate that the ongoing disruption could cost the company more than £30 million in lost profits, with weekly losses reaching up to £15 million. Although M&S is expected to recoup some of these losses through cyber insurance, the financial and reputational damage is mounting daily.
Scope of Data Compromised and Company Response:
According to statements from M&S leadership, the hackers were able to access a range of personal customer information. This includes names, dates of birth, home and email addresses, phone numbers, household details, and online order histories. For holders of M&S credit cards or Sparks Pay cards, customer reference numbers may also have been compromised, though the company stressed that no usable payment or card information was accessed, as such data is not stored within its systems. Account passwords were also not affected.
M&S has assured customers that there is currently no evidence the stolen data has been disseminated or misused. However, the company is taking precautionary steps by prompting all online customers to reset their account passwords and providing guidance on how to stay safe online. Customers have been advised to be vigilant for suspicious emails, calls, or messages that could be attempts at phishing or social engineering, using the stolen information to gain further access or commit fraud.
The retailer has also notified law enforcement, the Information Commissioner’s Office, and is working closely with the National Cyber Security Centre and cybersecurity experts to contain the breach, secure its systems, and restore normal operations as quickly as possible. M&S has not disclosed the exact number of customers affected, but with 9.4 million online customers as of March 2024, the scale of the breach could be significant.
Ransomware Attack and Wider Industry Impact:
The M&S incident is part of a broader wave of cyber attacks targeting major UK retailers. The ransomware group DragonForce has claimed responsibility for the attack on M&S, as well as similar breaches at the Co-op and Harrods. In these attacks, hackers infiltrate company networks, encrypt critical data, and demand a ransom for its release. While M&S has not confirmed whether a ransom was paid, the attack has severely impacted its ability to fulfill online orders and has caused some disruption to in-store services, including contactless payments and product availability.
The National Crime Agency is investigating these incidents and has indicated that the attacks on different retailers may be linked. Experts warn that even though no direct financial data was stolen, the personal information obtained could be used in future cybercrimes, such as targeted phishing campaigns or identity theft. The incident has sparked renewed calls for stronger cybersecurity measures across the retail sector, as well as greater awareness among consumers about the risks of data breaches.
Recovery and Rebuilding Trust:
As M&S works to restore its online operations and reassure customers, the company faces a challenging road ahead. The financial impact of the breach will likely be reflected in its upcoming annual results, and analysts will be closely watching for updates on recovery efforts and any additional losses. The retailer’s swift response, including transparency with customers and collaboration with authorities, will be crucial in rebuilding trust.
The attack on M&S serves as a stark reminder of the growing threat posed by ransomware and cybercrime to even the most established companies. With personal data now a prime target for criminal groups, both businesses and consumers must remain vigilant. For M&S, the focus now is on strengthening its digital defenses, supporting affected customers, and restoring its reputation as a trusted name in British retail.
