Marks & Spencer (M&S), the UK retail giant, has suffered a major cybersecurity breach attributed to the notorious “Scattered Spider” ransomware group, leading to widespread operational disruptions.
The cyberattack, confirmed last week, has forced M&S to suspend all online orders across its UK, Ireland, and some international platforms.
The breach has also disrupted contactless payments, gift card transactions, and click & collect services.
According to sources, the attack began in February when hackers stole sensitive credentials by extracting the NTDS.dit file, the core of Microsoft Active Directory.
This allowed lateral movement across the network.
On April 24, the attackers deployed the DragonForce ransomware, targeting M&S’s VMware ESXi infrastructure, effectively crippling virtual machines and backend systems.
M&S has enlisted the help of cybersecurity firms including CrowdStrike, Microsoft, and Fenix24 to manage the breach and recover operations.
Though the company has remained tight-lipped on technical details, industry experts identify Scattered Spider—also known as Octo Tempest and UNC3944—as the likely perpetrators.
The group is known for sophisticated social engineering, phishing, MFA bombing, and SIM swapping techniques.
Analysts warn that M&S’s brand reputation has taken a hit.
With roughly one-third of its UK clothing and home goods sales occurring online, the timing—coinciding with seasonal shopping surges—could translate into lost market share.
While contactless payments have resumed and some click & collect services are functional, many customers remain frustrated by ongoing issues and lack of clear updates.
Despite the setback, retail experts believe M&S’s quick acknowledgment and active response may limit long-term damage.
However, cybersecurity professionals caution that the evolving tactics of ransomware groups like Scattered Spider underscore the urgent need for stronger digital defenses across all sectors.
