The Marks & Spencer boss has confirmed that some of the personal data of customers have been accessed in a recent attack on the company.
However, the company said this does not include “available payment or card details” or passwords.
But M&S said it would be “extra peace of mind” and would prompt customers to change their password the next time they log in to their online account.
The company, which employs about 64,000 employees and operates 1,400 stores worldwide, is continuing to investigate violations.
This is what we know about M&S cyberattacks so far.
What happened to the M&S cyber attack?
Marks & Spencer first revealed a cyberattack after customers reported payment issues and delays on Monday, April 21.
M&S CEO Stuart Machin wrote in an email to shoppers: “For the past few days, M&S has been managing a cyber incident. To protect you and the business, it is necessary to make some minor changes to our store business for the time being, and I would sincerely be sorry if you experience any inconvenience.
“It is important that our stores remain open and our website and apps are functioning properly. No action is required at the moment and we will tell you if things change.”
M&S has approximately 64,000 employees and has more than 1,400 stores worldwide
PA wire
“It’s a very bad episode ransomware,” he said.
“It’s a highly destructive event, and for them, it’s a very difficult event.”
Dan Card, a network expert at the Chartered Institute BCS, told the BBC: “I suggest it’s a high confidence, it’s a ransomware-style event.”
“I describe these as digital bombs have disappeared. So there are existing challenges in technically and logically recovering … victim organizations will likely work around the clock to react and recover.”
Ransomware is a type of malware that locks or encrypts the victim’s data and requires payment (usually cryptocurrency) to restore access.
Who is behind the M&S cyberattack?
It said the team was suspected of violating the M&S system back in February 2025 and allegedly stole the NTDS.DIT file for the Windows domain, a sensitive database containing user credentials. It is also believed that they have used ransomware to encrypt part of the M&S infrastructure.
Also known as UNC3944, Octo Tempest or Muddled Libra, scattered spiders are reportedly known for adopting advanced social engineering strategies, including phishing and multifactorial authentication (MFA) fatigue attacks to penetrate large organizations.
Phishing tricks users into revealing sensitive information, while MFA fatigue involves bombing users with repeated login requests, hoping that they will approve one out of frustration or confusion.
According to reports
Alamy/PA
“Scattered spiders are one of the most dangerous and active hacker groups we are monitoring,” Graeme Stewart, head of public sector at security firm Check Point, Tell Sky News.
“Since they first appeared in 2022, they have been linked to more than 100 targeted attacks in the telecommunications, finance, finance, finance, finance and other industries, etc. Retail and gaming. ”
BleepingComputer reports that DragonForce Ransomware was deployed to the VMware ESXI host on April 24 to encrypt the virtual machine. The group reportedly gained access to the M&S system and has not been found for weeks.
Scattered spiders reportedly include young hackers, some of whom often participate in hacking forums, telegraph channels and discord servers. It is also believed that some members are related to “COM”, a looser affiliated community known for their network and the real world, already Attract media attention.
What impact does cyber attacks have on M&S?
Nayna McIntosh, former executive and founder of M&S Hope Fashion, said the decision to stop online orders is comparable to “cutting the limb.”
Susannah Streeter, Head of Currency and Markets Hargreaves Lansdown said the pause of online orders would “massive sales damage.”
“Fashion sales can cause a major blow, especially when summer ranges usually pile up in virtual baskets,” she added. “While other retailers are not immune to its destruction, the depth of the trademark and Spencer’s problems in addressing this issue are worrying, and it may take some time to win some more alert shoppers.”
Shares fell 2.2% to 377.3p on Monday morning, with the company’s market value slashing more than £700 million from its market value since the cyber attack.
After a cyber attack temporarily undermines part of its IT system, the store has left “limited availability” in some of its stores over the past week.
The UK retailer has been fighting the consequences of cyber incidents for more than a week, which has removed millions of dollars in market value.
It also has Reported Some stores (such as Liverpool) are forced to reduce food for Mass because of concern that stores are not as busy as usual.
