Flash Report: Marks & Spencer Cyber Incident

Key Findings

• On April 22, 2025, Marks & Spencer (M&S), one of the United Kingdom’s leading retailers, publicly confirmed that it was managing a cyber incident.

• While M&S has not officially stated a cyberattack has occurred, the characteristics observed in this incident are consistent with ransomware attacks.

• Investigations remain ongoing, with M&S confirming it has called in the UK’s National Cyber Security Centre to assist in containing and resolving the incident. M&S has also reported the incident to the Information Commissioners Officer (ICO).

• The M&S cyber incident highlights the growing cybersecurity risks faced by the UK retail sector. Disruption to services critical to customer experience can have an immediate impact on reputation and consumer trust.

Details

On April 22, 2025, Marks & Spencer, one of the UK’s leading retailers, publicly confirmed that it was managing a cyber incident. As part of subsequent containment efforts, M&S paused online orders across the UK and Ireland. Although stores remained open and online browsing accessible, this cyber incident led to publicly noticeable service disruptions across multiple services critical to customer experience and business operations. 

Customers were forced to use the chip and pin method or cash for in-store transactions, as contactless payment services were disrupted. Although online browsing remains available, M&S has restricted all transactional services to protect systems.

M&S shares experienced volatility since the announcement of the cyber incident, dropping approximately 5 percent. Since the reported cyber incident, customers have publicly expressed dissatisfaction on social media platforms. In response to the growing frustration, CEO Stuart Machin issued a public apology to customers, acknowledging the disruption and highlighting that the business is taking proactive steps to contain and resolve the incident.

Investigations remain ongoing, with M&S confirming it has sought the UK’s National Cyber Security Centre’s assistance in containing and resolving the incident. M&S has also reported the incident to the Information Commissioners Officer (ICO).

Analyst Commentary

While M&S has not officially confirmed a cyberattack occurred, the disruption of online services and payments—coupled with the pre-emptive suspension of online orders and lack of publicly available detail around the nature of the incident—indicate a likely chance that this incident is linked to a ransomware attack. Reports have emerged suggesting threat collective Scattered Spider, a financially motivated threat group known for targeting large organizations using social engineering and extortion tactics, may be behind the attack. However, attribution to this threat collective remains unconfirmed as of this writing. 

The M&S cyber incident highlights the growing cybersecurity risks faced by the UK retail sector. Disruption to services critical to customer experience can have an immediate impact on reputation and consumer trust. As retailers continue to expand their digital operations, they become increasingly appealing to threat actors seeking to disrupt critical operations, compromise sensitive customer data, or exploit vulnerabilities. In an increasingly competitive retail space, safeguarding customer information and preserving the availability of services is essential even in the midst of a cyber incident, not only for regulatory compliance but also to protect brand image and maintain customer trust. 

Scattered Spider Overview

Scattered Spider is a financially motivated threat collective that conducts advanced social engineering and digital extortion attacks and was first observed in approximately May 2022. The collective—which is composed of native English-speaking members from Europe and the United States—has been observed collaborating with other prominent extortion collectives, such as RansomHub and the now-defunct ALPHV/BlackCat.

Scattered Spider campaigns are well-organized and prolific. The group exhibits a high operational tempo and fluidity, leveraging an extensive toolkit to compromise and maintain persistence in secure environments and rapidly exfiltrating large volumes of data. 

High-profile incidents attributed to Scattered Spider include attacks on Twilio, MGM Resorts, and Caesars Entertainment. In August 2022, the collective compromised Twilio via SMS phishing, gaining access to the personal information of 163 Twilio customers. In September 2023, Scattered Spider used help desk impersonation to breach MGM Resorts, deploying ransomware that caused outages across hotel and casino services. Around this same time, the group accessed sensitive customer data from Caesar Entertainment and extorted a USD 15 million ransom to prevent leaking of the data.

Scattered Spider performs highly targeted social engineering attacks and leverages various techniques, including voice phishing (vishing) and SMS phishing (smishing) using victim-specific crafted domains and SIM-swapping to harvest credentials and bypass multi-factor authentication (MFA). Scattered Spider also utilizes Azure Data Factory to alter data pipelines and facilitate the extraction of large data volumes.

These tactics reveal the group’s focus on deep, persistent network infiltration, which often outmaneuvers traditional security systems. Scattered Spider leverages common endpoint detection and response (EDR) tools installed on victim networks to maintain endpoint access. The group exploits these tools’ remote-shell capabilities and executes commands that elevate access.

Consistent with typical ransomware operations, Scattered Spider frequently communicates with victim organizations and their personnel directly after encryption to negotiate or extort the ransom, providing samples of exfiltrated data. The group has historically been observed leveraging the now defunct-ALPHV data leak site as part of its extortion attempts.

Scattered Spider’s techniques—such as tampering with security personnel accounts to impair security products and automatically delete emails—indicate high technical prowess, making it harder for traditional security measures to detect or prevent the group’s activities.

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 8:00 AM (EDT) on April 30, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.