🛡️ M&S Cyberattack: Inside the Scattered Spider Breach at Marks & Spencer
Marks & Spencer (M&S), one of the UK's most trusted retailers, recently fell victim to a devastating cyberattack allegedly orchestrated by the hacking group Scattered Spider. This advanced threat campaign caused massive disruptions across M&S's digital and physical infrastructure — affecting customer orders, supply chains, and employee operations.
💥 The incident first came to light in April 2025, but reports suggest the hackers may have gained access to M&S systems as early as February 2025, stealthily exfiltrating sensitive data and preparing for a ransomware detonation.
🔍 A Closer Look at the Attack
Scattered Spider reportedly breached internal systems, exploiting social engineering tactics like phishing and SIM-swapping to impersonate employees and escalate privileges within M&S's networks.
🔐 By April 24, ransomware was launched, locking critical data and crippling M&S’s core operations — including online orders, logistics, and payment systems.
🕷️ Who is Scattered Spider?
Known in cybersecurity circles as UNC3944 or Muddled Libra, Scattered Spider is a notorious hacking collective mainly made up of young cybercriminals from the US and UK. The group is part of a new wave of threat actors combining social engineering with traditional cyberattacks to breach even well-defended networks.
📌 Their previous high-profile targets include:
-
MGM Resorts
-
Caesars Entertainment
-
Multiple global enterprises across telecom, finance, and retail sectors
This time, Marks & Spencer became their target — and the consequences were severe.
💻 How Did It Affect M&S?
🛒 Online Shutdown
M&S temporarily paused online clothing and home goods orders, impacting thousands of customers and slashing revenues during a peak season.
🏬 In-Store Disruptions
Customers reported:
-
Glitches in contactless payments
-
Empty shelves in multiple stores
-
Slow checkout systems
These disruptions stemmed from compromised supply chain coordination systems.
👷♂️ Staff Impact
Roughly 200 warehouse staff were told to stay home as M&S investigated the extent of the breach and worked to restore system functionality.
📉 Market Reaction
Following the news, M&S's market value reportedly plummeted by over £700 million, triggering shareholder concerns and media scrutiny.
🛡️ M&S's Response & Security Measures
In response, Marks & Spencer partnered with cybersecurity experts, including:
-
🔐 CrowdStrike
-
🧠 Microsoft's Incident Response Team
-
🕵️ UK's National Cyber Security Centre (NCSC)
Their goals:
-
Isolate and remove the ransomware
-
Assess and contain the breach
-
Implement stronger preventative controls
📢 So far, M&S has not confirmed if a ransom was paid, but recovery efforts are ongoing.