A sophisticated cyberattack orchestrated by the elusive “Scattered Spider” group has paralyzed Marks & Spencer’s operations, leading to daily losses of over £3 million, suspended online orders, IT lockouts, and fears of deep consumer trust erosion. As British retail reels, the broader cyber threat landscape emerges darker and more complex than ever.
Chaos at the Core: How the Attack Unfolded
Retail giant Marks & Spencer (M&S)—a symbol of British commerce—has found itself in the grip of one of the most disruptive cyberattacks to hit the UK high street in recent memory.
Since April 24th, the company’s core systems have been compromised by ransomware, crippling contactless payments, suspending online orders, and forcing its Castle Donington logistics hub to send nearly 200 workers home due to halted digital workflows.
The company, employing over 64,000 people globally and operating in 1,400+ stores, is reportedly losing more than £3 million per day in online sales alone. The financial repercussions are immediate and severe—share prices plunged 7%, wiping £650m–£700m from market value in mere days.
While M&S initially remained tight-lipped, multiple cybersecurity sources confirmed to BleepingComputer that the attack was carried out by the “Scattered Spider” gang a sophisticated English-speaking collective also known as Octo Tempest, 0ktapus, or UNC3944. The ransomware variant used was DragonForce, deployed specifically against VMware ESXi hosts, crippling the company’s virtual infrastructure.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The Threat Within: Who Are Scattered Spider?
The hacking group behind the attack, Scattered Spider, is not a typical ransomware gang. Instead, it is a fluid and loosely organized coalition of young hackers (some as young as 16), skilled in social engineering, SIM swapping, MFA fatigue attacks, and impersonation of IT personnel.
The group reportedly breached M&S in February 2025, stealing the NTDS.dit file, a highly sensitive Windows Active Directory database that includes encrypted password hashes.
These credentials enabled lateral movement across the M&S network, allowing the attackers to steal data and eventually encrypt critical systems. Their signature approach mirrors the MGM Resorts breach in 2023—another attack where they impersonated employees to infiltrate IT support systems.
Security analysts say Scattered Spider has evolved into a white-label affiliate for ransomware operations, collaborating with groups like RansomHub, Qilin, and now DragonForce, expanding their reach across sectors.
Consumer Fallout and Industry Alarm
The visible consequences are dire. Online orders have been halted, staff working from home are locked out of systems, and contactless payments are down, prompting long lines, confusion, and operational chaos. The National Cyber Security Centre (NCSC) has launched an investigation, though no official attribution has been confirmed by M&S.
The timing couldn’t be worse. With summer wardrobes being decided, and competitors like Next, Zara, and H&M rolling out collections and deals, any friction in M&S’s buying journey translates to lost customers.
Matt Hull of NCC Group warns that the M&S incident isn’t an anomaly. February 2025 saw a 50% rise in ransomware cases, and sectors holding large data volumes remain prime targets.
Lessons and the Road Ahead
Despite M&S quickly bringing in CrowdStrike, Microsoft, and Fenix24 to aid in mitigation, the larger picture remains worrying. Experts caution that malicious actors often launch secondary attacks amidst recovery efforts, exploiting chaos and diverted defenses.
Robert Cottrill of ANS Group summarized the sentiment across the industry:
“In the aftermath of a cyber incident, we often see a spike in related malicious activity, as attackers look to exploit confusion and disruption.”
M&S has publicly stated it does not store customer data, a claim that offers minor relief but does not stem the reputational damage already underway.