Listen to the article
Marks & Spencer has today confirmed that personal customer data was stolen in the catastrophic cyber-attack that has paralysed the high street stalwart for more than two weeks and wiped over £1 billion off its market value.
The retailer admitted that some shoppers’ contact details, dates of birth and order histories were accessed by cyber criminals in what is now understood to be a large-scale ransomware attack carried out by the DragonForce hacking cartel.
Although M&S insists that no payment details, passwords or account credentials were compromised, the admission marks a major escalation in what is fast becoming one of the UK’s most damaging corporate cyber incidents in years.
The scale of the breach is still emerging. It remains unclear exactly how many of M&S’s 9.4 million active online customers have been affected. The firm has begun contacting impacted individuals, with CEO Stuart Machin stating: “Unfortunately, some personal customer information has been taken. Importantly, there is no evidence that the information has been shared. Everyone at M&S is working around the clock to get things back to normal and we are very sorry for any inconvenience caused.”
The attack, which took place over the Easter weekend, has already forced M&S to suspend all online orders since 25 April, with its website and app still offline more than two weeks later. In-store availability has also been affected, with some shelves left empty and click-and-collect services disrupted.
Deutsche Bank estimates the crisis is costing M&S around £15 million in lost profits each week, with a total hit of £30 million and counting. Shares have plunged over 12 per cent since the breach was disclosed, dropping 4.7 per cent today alone and leaving the company with a market capitalisation of £7.4 billion.
In an effort to contain the threat, M&S has also suspended all job applications via its website and pulled numerous backend systems offline.
Cyber security experts are warning that even in the absence of financial data, the stolen information could be exploited by criminal networks to launch targeted scams and phishing attacks. Matt Hull, head of threat intelligence at NCC Group, warned: “Despite the absence of card details or passwords, threat actors could use the stolen information to craft highly convincing social engineering campaigns. Cyber criminals are also likely to sell this data on the dark web, putting customers at further risk.”
Sam Kirkman of NetSPI said: “Victims should monitor their credit reports and stay vigilant. Scammers may use personal details such as name, address and date of birth to convincingly impersonate trusted organisations.”
As investigators dig deeper, more is being learned about who was behind the hack. Responsibility for the attack has been claimed by the DragonForce ransomware cartel, a group which runs a cybercrime affiliate programme allowing other hackers to lease its malware and infrastructure.
Cybercrime investigators believe the breach was executed using DragonForce’s tools, although tactics used in the M&S attack bear hallmarks of the notorious English-speaking teenage hacking gang known as Scattered Spider.
That group, believed to include around 1,000 young men and teenagers across the UK and US, has been linked to past attacks on major firms including MGM Resorts and Caesars Entertainment. The group is known to use malware developed by Russia-linked group BlackCat/ALPHV, suggesting a transnational collaboration.
The National Crime Agency (NCA), dubbed Britain’s FBI, is now leading the investigation. It is also probing recent cyber attacks on Co-op and Harrods, both of which appear to be linked to the same criminal networks.
The breach has drawn renewed attention to Tyler Buchanan, a 23-year-old Brit believed to be a ringleader of Scattered Spider. Buchanan was arrested in Palma, Mallorca last summer and extradited to the US in April, where he faces charges of wire fraud, identity theft and cryptocurrency theft totalling more than £20 million.
His arrest followed an attack on his mother’s home in Dundee, where armed men allegedly burst in with blowtorches, demanding access to his crypto wallets. According to encrypted Telegram messages, the assault was ordered by a rival gang.
As the company works to restore its systems, M&S has issued guidance to its customers. In an email, operations director Jayne Wall warned of potential phishing attempts and reminded recipients: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.”
The company is also prompting customers to reset their passwords “for peace of mind” and reaffirmed it would never request account details via email or phone.
Meanwhile, the cyber attack has triggered disruption across the supply chain. Sandwich-maker Greencore has reverted to pen-and-paper systems, while beauty brand Nails Inc said it was “nervous” about an upcoming launch due to the uncertainty.
Customers have also reported that some M&S stores were still unable to fulfil meal deal offers, while others displayed signs apologising for “technical issues affecting product availability”.
Retail analyst Catherine Shuttleworth told the BBC: “M&S is one of the most trusted brands in the land and shoppers hold it to the highest standard. So far, customers have been supportive — but the revelation that their data has been stolen is a further blow.”
The Information Commissioner’s Office (ICO) is investigating the incident, alongside a probe into the attack on Co-op. The National Cyber Security Centre (NCSC) has warned that cyber criminals are increasingly impersonating IT help desks to breach corporate defences — a tactic often used by Scattered Spider.
National Security News will continue to follow this developing story as more details emerge.
