Marks & Spencer (M&S), one of the UK’s largest retailers, was hit by a major cyber attack last week, first reported on April 21, 2025. Nearly a week later, the company is still facing ongoing disruption to critical services.
Reports estimate that the attack has wiped £700 million off M&S’s stock market value, and caused serious operational issues—including outages across contactless payment systems, online ordering, and gift card usage. Some local news sources even report empty shelves in stores as a result of knock-on effects.
M&S responded swiftly to reassure customers and is working to fully restore systems and investigate the root cause.
What Actually Happened?
While M&S has not officially confirmed the technical details, cybersecurity news outlet BleepingComputer reports that the cybercriminal group Scattered Spider is responsible for the attack.
According to the report, the hackers may have stolen internal data as early as February 2025, and later deployed ransomware linked to a known group called DragonForce, encrypting key company servers last week.
Who Is Scattered Spider?
Scattered Spider is a highly sophisticated, predominantly English-speaking cybercrime group known for executing advanced ransomware attacks. Active since 2022, the group rose to prominence following its high-impact breach of MGM Resorts, which caused significant business disruption and is estimated to have resulted in $100 million in financial losses.
Their tactics include a mix of social engineering and technical exploits, such as:
- Phone impersonation
- SMS and email phishing
- MFA fatigue attacks
- SIM swapping
They often disguise phishing domains by mimicking trusted platforms like Okta and Zoho ServiceDesk, paired with the target company’s name to make fraudulent messages appear legitimate.
Once initial access is gained, Scattered Spider relies on a suite of publicly available remote access and reconnaissance tools to move laterally across networks and escalate privileges.
Common tools include:
- Fleetdeck.io, Level.io, Pulseway, Tactical.RMM – remote monitoring and management
- ScreenConnect, Splashtop, TeamViewer – remote device access and control
- Mimikatz – credential harvesting
- Ngrok – secure tunnelling for remote server access
- Tailscale – peer-to-peer VPN for covert communications
Despite multiple arrests in recent years, the group remains active and continues to pose a significant threat to organisations globally.
How Did the M&S Breach Happen?
The exact method of entry hasn’t been confirmed, but it's believed that Scattered Spider stole an NTDS.dit file—a critical database file used by Microsoft Active Directory. This file contains encrypted employee passwords for M&S’s Windows network.
If decrypted, these passwords could have allowed the attackers to access internal systems and move laterally across the network with legitimate-looking credentials—often without raising red flags.
Although these may not be directly linked to the incident, our cyber risk analysis of M&S, conducted using our cyber risk monitoring tool, Breach Check, identified a significant number of compromised accounts. Among them were the following email addresses:
- admin@
- support@
- contact@
- editor@
- sales@
- root@
Additionally, we found that M&S did not have a DMARC policy set to “quarantine” or “reject”—a key email security protocol. Without this protection, their email domain was more vulnerable to spoofing and phishing attacks, which are common entry points for cybercriminals.
This could suggest poor cyber hygiene within the business.
How Do Hackers Choose Their Targets?
It’s a common misconception that large-scale cyber attacks are always targeted. In reality, most hackers operate at scale, using automated tools, phishing emails, and leaked data to cast a wide net and exploit vulnerabilities wherever they find them.
High-profile companies like M&S make the headlines because of the wider impact on the public, but cybercriminals often don’t discriminate between a 10-person business or a multinational enterprise.
Many attacks are opportunistic—it only takes one employee clicking a malicious link or responding to a spoofed email for attackers to gain a foothold.
Even businesses with strong cybersecurity infrastructure are vulnerable to human error.
- Large organisations may have more resources, but the importance of cybersecurity can get diluted across hundreds or thousands of staff.
- SMEs often lack security tools and training budgets, but can implement awareness programmes more closely and consistently.
Regardless of size, cybersecurity needs to be continuous and enforced at all levels.
How Can Businesses Protect Themselves from Cyber Attacks?
While there’s no single solution, here are just a few essential cybersecurity best practices that all organisations should implement:
- Multi-factor authentication (MFA/2FA)
- Strong, unique passwords
- Restrict employee access (least-privilege)
- Consistent staff training on phishing and social engineering, which is reviewed and updated regularly
- Antivirus and endpoint protection
- Firewall and email filtering tools
- Timely software updates and patching
- Proactive breach monitoring
- Constantly revise and update security policies and procedures
In attacks like this, employee awareness and vigilance remain the strongest line of defence.
How Breach Defence Helps SMEs Stay Protected
Breach Defence is our cyber risk management platform, ideal for commercial policyholders looking for a comprehensive, easy-to-use cyber protection tool. For insurers, this translates to fewer claims and a more secure book of clients..
Key features include:
- Dark web and hacker monitoring for signs of hacking activity
- Real-time alerts for breaches involving employee credentials
- A staff training portal with training courses, a cyber risk score and action plan and access to company policies
- Simulated phishing tests to build awareness and readiness
For Insurers and Brokers: Breach Check for Portfolio Monitoring
We also offer Breach Check, a fast, passive scanning tool that allows insurers and brokers to assess cyber risk across their commercial portfolios.
Both solutions are powered by the same industry-leading intelligence, and our data has helped us predict attacks up to 402 days in advance.
Get in Touch
If you offer a commercial insurance product and are looking for a way to improve loss ratios by helping your customers reduce their cyber risk, we’re here to help. Our software is designed to do just that—and we’d love the opportunity to show you what it can do.
For brokers and insurers looking to understand the cyber risk exposure of their commercial portfolios, we offer a completely free cyber risk scan. We can scan a sample of your clients to demonstrate how our tool identifies hidden cyber risks. The scan is 100% passive—all we need is a company’s domain name.
To learn more or book a demo, reach out to our friendly team at info@dynarisk.com. We’d love to hear from you.