Marks & Spencer (M&S) confirmed that its recent ransomware incident was the result of a highly sophisticated impersonation attack targeting its third-party supplier network. The breach ultimately enabled the deployment of the notorious DragonForce ransomware, causing significant disruption to the company’s operations and impacting millions of customers.
Attack Details and Timeline
According to M&S, the initial breach occurred when cybercriminals successfully impersonated a user associated with a key third-party supplier. Investigators believe the attackers employed advanced social engineering techniques, possibly including deepfake technology and urgent, convincing communications, to bypass standard security protocols. This allowed the attackers to gain unauthorized access to the supplier’s systems, which in turn provided a pathway into M&S’s internal network.
Once inside, the attackers escalated their privileges and moved laterally across the organization’s digital infrastructure. This preparation laid the groundwork for the deployment of DragonForce ransomware—a cybercriminal tool known for its double extortion tactics, which involve both encrypting data and threatening to leak sensitive information unless a ransom is paid.
Operational and Financial Impact
The ransomware attack had a profound effect on M&S’s operations. Online ordering and digital services were suspended for nearly seven weeks, while some in-store payment systems and stock availability were also affected. Although physical stores remained open, the disruption led to an estimated £300 million loss in operating profit. The company’s share value dropped by more than 15% following the public disclosure of the breach.
M&S confirmed that while customer names, contact details, addresses, and order histories were compromised, payment card information and passwords were not affected.
Response and Recovery
In response to the incident, M&S collaborated closely with UK and international authorities, including the National Crime Agency and the FBI, to investigate and contain the breach. The company has since begun restoring online services and expects a full operational recovery by August 2025.
To prevent future incidents, M&S is investing in enhanced cybersecurity measures, implementing stricter controls, and providing additional training for staff to better recognize and respond to social engineering threats.
Lessons and Industry Implications
This incident highlights the growing threat posed by sophisticated impersonation and supply chain attacks. As organizations increasingly rely on third-party vendors, the need for robust security protocols and vigilant monitoring becomes ever more critical.
M&S’s experience serves as a stark reminder to businesses worldwide: cybercriminals are continually evolving their tactics, and even the most established companies are not immune to advanced, targeted attacks.
For further information, M&S has established a dedicated helpline and is providing ongoing updates to affected customers via its website.
