British retail giant Marks & Spencer (M&S) is currently battling the aftermath of a major cyberattack that has caused widespread operational disruptions across its online and in-store services. For over a week, customers have faced halted online orders, delayed Click & Collect services, and stock shortages in physical stores. Although initially described by the company as a “cyber incident,” mounting evidence points to a sophisticated ransomware attack, potentially orchestrated by the cybercriminal group DragonForce, with suspected ties to the notorious Scattered Spider gang.
The breach was first disclosed through a formal statement to the London Stock Exchange, in which M&S reported “minor, temporary changes” to store operations. But the impact has proven far from minor. CEO Stuart Machin later addressed the public via social media, assuring customers that the company’s teams are “working day and night” to restore normal operations. An update posted on April 25 reiterated that internal teams, alongside external cybersecurity specialists, are working urgently to restart digital services, including online shopping and the retailer’s mobile app.
Cybersecurity experts suggest the scale and nature of the disruptions are consistent with ransomware, a form of malware that encrypts systems and demands payment for their release. The BBC reported suspicions of DragonForce’s involvement, potentially working in coordination with Scattered Spider, a group previously linked to the high-profile 2023 ransomware attack on MGM Resorts in Las Vegas.
According to Ciaran Martin, the founding chief of the UK’s National Cyber Security Centre, this is “a pretty bad episode of ransomware,” describing it as highly disruptive and difficult to recover from. Professor Alan Woodward of the University of Surrey explained that such attacks paralyze core functions: “Everything from knowing what has been sold — hence what needs replenishing — to taking card payments is very dependent on complex systems.”
Although contactless payments have been restored in M&S stores, the website and app remain partially inaccessible, and logistical functions like payment processing and fulfillment continue to face delays. Experts warn that recovering from ransomware attacks involving large-scale infrastructure can take weeks, if not longer.
The situation comes amid broader concerns over cybersecurity in the UK. A recent investigation revealed over 14 million stolen browser cookies belonging to UK users — some containing login credentials and session tokens — have been leaked on the dark web, with more than half still active. While no direct connection to the M&S breach has been confirmed, the timing has alarmed cybersecurity professionals and highlighted the growing digital risks retailers face.
M&S has not yet publicly identified the perpetrators or confirmed whether any customer data was compromised. Customers are being advised to update any reused passwords and remain vigilant for suspicious activity as a precaution.
This incident not only highlights the vulnerabilities of major retail systems but also raises urgent questions about cybersecurity readiness in the face of increasingly aggressive and sophisticated threats. As M&S works to bring its systems back online, the retail and cybersecurity industries alike are watching closely to see how one of the UK’s most iconic brands navigates this ongoing digital crisis.