Ransomware and cyberattacks are growing in both frequency and sophistication as the digital age develops. Having explored the UK Government’s approach to these new challenges previously, we have seen a recent explosion of ransomware attacks over the past few months, particularly targeting the British retail industry; most notably, the M&S cyber attack.
Matt Hull, a seasoned cybersecurity expert at NCC Group, highlights the 50% increase in ransomware cases in February 2025 compared to January, citing 886 cyber attacks. In light of this figure, Hull warns that “businesses should expect to be a target for cybercriminals and take a proactive approach to security, rather than waiting for potential threats to strike”. As we have seen in recent news, big high street names such as Harrods, Co-op, and M&S have been forced to deal with such threats head-on.
About M&S CyberAttack
Founded in 1884, Marks & Spencer is a much-loved brand not only of the British high street but also across the globe, with 434 stores located internationally. The new CEO, Stuart Machin, has tasked himself with the modernisation of the brand, to keep up with competitors in the industry and grow profits. Unfortunately, the sheer scale of the recent cyber incident has spread across the media, overshadowing the Group’s growing financial success, with last year’s profit of £716.4m (financial year 2023/4), and this year’s figure of £875.5m (financial year 2024/5).
Who Is Behind The M&S Cyber Incident?
The cybercriminals reportedly gained access to M&S’s IT systems as early as February, according to BleepingComputer; that said, the main disruption took place on the Easter bank holiday weekend. The initial message released on the 23rd of April announced delays to expected deliveries, as well as the decision to halt contactless payments and click and collect services. It wasn’t until the 25th of April that online orders were halted altogether, and remained offline until the 12th of June, with limited online stock available to be ordered.
It is important to note that M&S has not yet confirmed whether the cyber incident was in fact ransomware; nevertheless, it is generally considered to have been the case, as the details of the attack matches those of other ransomware breaches on British retailers. The BBC corroborates that “M&S has been hit with ransomware, which has scrambled the company’s servers, rendering their computer systems useless”.
The stolen and/or corrupted data includes personal information such as
- names
- home addresses
- phone numbers
- email addresses
- potentially dates of birth
- order history, but not payment details.
The incident has also affected M&S Food’s supply chain, with many stores seeing empty shelves and a regression to using pen and paper for operations teams. As a result, customers have been prompted to change their account passwords to reinforce security, as well as being advised to be cautious of phishing emails and scam calls. The disruption to the Group’s internal systems is expected to last until July.
What Does the Cyber Intrusion Mean For M&S?
There is controversy surrounding M&S’s way of dealing with the cyber breach. A previous M&S employee has accused the company of lacking a business continuity plan to suitably deal with a ransomware or cyber attack, and potentially points toward an explanation of why the event has had such a catastrophic effect on business operations.
On the other hand, it is important to note that another spokesperson from M&S claimed that “M&S has robust business continuity plans and processes in place for managing incidents led by an experienced team”. Stuart Machin, CEO, denies such allegations of poor planning, explaining that the attack was down to “human error”, rather than weakness in their cybersecurity: “threat actors only have to be lucky once, and we didn’t leave the door open, so [it] wasn’t anything to do with under-investment”, labelling the incident a “bump in the road” for M&S as mentioned in Financial Times.
How Has the Hack Impacted M&S’s Business?
Since the attack, M&S shares have dropped a collective 7%, with overall profit losses estimated by the Group at £300m, which they aim to mitigate through cost management, insurance, and other trading actions.
Of course, a cyber incident of this scale does not only affect a company financially, but also negatively impacts consumers’ trust in the brand, as Dan Coatsworth, investment analyst at AJ Bell acknowledges, M&S’s success is “built on trust”, and “the longer it takes to draw a line under the cyber incident, the greater the risk to Marks & Spencer’s reputation”.
What’s more, the attack came just at the wrong time, as “summer wardrobes are being decided now – and in a fiercely competitive market, once a customer has bought elsewhere, it’s not just one missed sale; it’s a whole season lost” (Kate Hardcastle MBE, consumer expert at Insight with Passion, iNews).
The return of online shopping after more than a month of disruption reflects a big step forward in M&S’s recovery from the cyber attack, with the company’s shares rising for the first time since the hack; however, they remain more than 9% below the April peak. The wider impact on the reputation of the much-loved brand will become clear over the next few weeks as the retailer tries to recover some of its lost profits.
How Are M&S Responding to the Cyber Attack?
In the face of such a devastating incident, Marks and Spencer’s options are limited, as the cybercriminals have maximalised disruption by corrupting the company’s data, therefore, rendering their IT systems useless. Even if M&S had chosen to speak with the hackers, there is no guarantee they would have regained control of their internal systems and recovered the stolen data. As discussed in a previous article, paying cybercriminals is heavily discouraged by most experts, hence, leaving the victim with the only other choice, which is to start fresh and rebuild the organisation’s internal IT systems from scratch. This, it appears, is what M&S are doing, as explained in a recent statement regarding the cyber attack; describing that they are looking to “make the most of the opportunity to accelerate the pace of improvement of our technology transformation” by reducing the projected time taken for such transformation from 2 years to 6 months.
How Will This Trend Affect British Retail?
The cyberattack on M&S has come amongst a wave of other attacks on British retailers, including Co-op, Harrods, The North Face, Cartier, and Victoria’s Secret, among others. Some brands are dealing with it better than others, Co-op, for instance, has been applauded for their quick decision making to take systems offline in order to “prevent a ransomware infection”, yet, despite this, “a huge amount of customer and staff data was stolen and is being held to ransom”.
In response to the recent spike in incidents, the National Cyber Security Centre (NCSC) has released guidance for businesses to review their password reset processes, as cybercriminals have been using social engineering tactics to manipulate IT support workers into changing passwords to unknowingly allow the hackers to access internal systems. There have also been reports of a technique called “credentials stuffing”, in the case of the attack on North Face for instance, where hackers use previous login details leaked in data breaches to access other accounts where consumers have reused usernames or passwords.
TenIntelligence’s Thoughts: Cyber Resilience in the Face of Hackers
The 2025 M&S cyber attack has proved itself to be more disruptive than anyone could imagine. It has damaged not only the Group’s financial performance, but also its reputation in the eyes of shoppers. As discussed, other British retailers are too suffering from the same weakness in their cybersecurity, with the ultimate result being leaked personal customer data.
The industry must be wary of these threats of cyber infections, as criminals become ever more savvy in how to breach complex IT systems to disrupt and derail business operations. The extent of the M&S cyber attack serves as a cautionary tale to other businesses to strengthen their cybersecurity defences, bolster their incident response plans, and invest in staff training against evolving cyber threats. Cybersecurity, to promote business continuity and consumer trust in our digital age, is a necessity, not an add-on.
For customers, may the recent cyber breaches in 2025 so far be a reminder to remain vigilant when it comes to phishing emails, scam calls, and password hygiene. Be sure to verify the validity of the messages you receive, change passwords regularly, use unique passwords, and never repeat login credentials for different online accounts.
Written by
Rebecca Hemingway | Due Diligence Analyst