Case Study – Marks & Spencer Cyber attack

Marks & Spencer encountered a cyber attack in April 2025. It took over 45 days for the attack to be remediated. We look at details of this cyber incident.

There are lessons for all in this cyber breach because it involved Social engineering to gain initial access to the targeted infrastructure of Marks & Spencer.

When did the Marks & Spencer cyber attack happen?

Marks & Spencer experienced cyber attack between 19 to 21 April 2025. This is the time that coincides with the Easter holidays in UK.

Here is a timeline of the cyber attack targeting Marks & Spencer in April and May 2025.

• M&S cyber attack took place between 19 to 21 April 2025.
• M&S confirmed the disruption to its IT infrastructure on 22 April 2025.
• On 25 April 2025, M&S stopped online sales as the entire system was impacted due to the reported cyber attack.
• On 13 May 2025, M&S confirmed that some personal data of consumers was reported stolen.
• On 10 June 2025, M&S resumed online channel sales in a limited way.

What type of cyber attack targeted Marks & Spencer in April 2025?

The Marks & Spencer cyber attack in April 2025 is confirmed to be a ransomware attack. Data was stolen and encrypted rendering the systems unusable for taking online orders by Marks & Spencer.

It is unclear if Marks & Spencer paid any ransom to recover data or resurrect its IT systems.

Which threat actor caused the cyber attack on Marks & Spencer in April 2025?

The ransomware attack on Marks & Spencer was carried out by threat actors from the group Scattered Spider. The group comprises of English speaking hackers who use advanced social engineering techniques to target target infrastructure.

How did the Marks & Spencer cyber attack happen?

The investigation report by Marks & Spencer suggests use of advanced Social Engineering techniques to compromise the M&S infrastructure and networks.

Marks & Spencer had an active Service Desk contract with India based IT conglomerate TCS or Tata Consultancy Services.

The security report suggests the following technique was used by threat actors:

• English speaking threat actors contacted the service desk of Marks & Spencer.
• The threat actor used Social engineering to hoodwink the service desk executive. The hacker is reported to have impersonated a Senior employee or Marks & Spencer.
• By impersonating a Senior employee, the hacker reportedely got access to a reset password in gaining access to the infrastructure.
• The hacker altered the password reset process of M&S to access the infrastructure.
• Once inside the system, the hackers used lateral entry to move through the network and inftastructure.
• During the course of the cyber attack, data was stolen and encrypted to seek a ransom.

How is TCS connected to Marks & Spencer cyber attack?

TCS is not directly connected to the cyber attack on Marks & Spencer. It did not provide Cybersecurity services to Marks & Spencer.

• TCS does not provide cybersecurity services to Marks & Spencer.
• TCS had a decade old relationship with Marks & Spencer
• TCS only offered Service Desk services to Marks & Spencer. It implies that service technicians will take calls to resolve IT infrastructure related calls.
• Service desk technicians have limited access to the client infrastructure. Generally, the service desk technicians cannot go beyond user account management.

In the case of Marks & Spencer cyber attack, TCS’s Service Desk employee was tricked by an English speaking hacker belonging to the Scattered Spider Group. It is unclear if the Service Desk technician shared a temporary password or sent a password reset email to the caller.

But, it is clear that there is a possibility of a flaw in the password reset and authentication process used by the Service Desk employee. Normally, the Service Desk technicians follow a script that is set by the client to perform password reset or exchange temporary passwords to the caller.

The actual cyber attack and incident would be directly caused due to a security vulnerability within Marks & Spencer’s network or IT infrastructure. Since this infrastructure or network was managed by another third-party, it would be prudent to say that actual cyber incident would be caused due to existing security vulnerabilities or unpatched systems.

I do not see how TCS could be blamed for this cyber incident. This surmise is based on the available data and evidence of the said cyber attack on Marks & Spencer.

What is the impact of the cyber attack on Marks & Spencer?

The following impact has been quantified after Marks & Spencer cyber attack:

• Online sales through Marks & Spencer website were impacted for 46 days.
• Online sales stopped on 25 April 2025. The sales were restored on 10 June 2025.
• The financial impact on Marks & Spencer is seen in the range of £300 million.

Some users have reported that TCS lost its Service Desk contract after this cybersecurity breach. For the record, both companies confirmed that the Service Desk contract was awarded to another 3rd party supplier sometime in January 2025. The actual cyber attack happened in April 2025.

What is the learning from the Marks & Spencer cyberattack of April 2025?

There are some very simple lessons for anyone in the Marks & Spencer cyber incident:

• Create, maintain, and audit scripts to prevent Social engineering through Service Desk by threat actors.
• Always keep your systems fully patched to prevent security vulnerabilities from being used by threat actors to steal data or enrypt data.
• Use better network segment to limit the scope of cyber attacks.
• In this case, Marks & Spencer could have scattered the online sales systems for England, Wales and Ireland in different network segments.
• Always be very wary of cyberattacks during extended holidays coinciding with Easter holidays, Thanksgiving holidays, and Christmas season. During these team, monitoring of infrastructure and networks must be carried out on a proactive basis to preempt any potential cyber incident.

It is clear that the threat actors have become more advanced. Social engineering, vishing and phishing continue to be easy method or techniques used by threat actors to gain initial access to the target infrastructure or networks.