Marks & Spencer (M&S), one of the UK’s leading retailers, is currently grappling with a significant cybersecurity incident that has disrupted key services across its operations. This blog post aims to provide a detailed timeline of the events, the current status of the incident, and the affected services.
Timeline of Events
Saturday, April 19, 2025 (Easter Weekend)
- Initial Reports: Customers began reporting issues with M&S store operations, specifically with contactless payments and click-and-collect services. Social media posts highlighted problems, such as a shopper in Plymouth unable to collect an online purchase or return an item due to tills being down. Another customer in Beckenham, London, reported similar issues with pickups and returns.
Monday, April 21, 2025
- Cybersecurity Incident Begins: The cybersecurity incident officially began, impacting contactless payments and click-and-collect services across M&S stores nationwide. Customers reported widespread disruptions, including the inability to use gift cards or vouchers in some stores. Shoppers voiced frustrations on social media, describing operational chaos, such as stores unable to process returns or hand over click-and-collect orders.
Tuesday, April 22, 2025
- Morning (Before 14:31 BST): M&S officially confirmed the cybersecurity incident in a filing with the London Stock Exchange and notified relevant authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). The retailer stated it had been “managing a cyber incident” for the past few days, necessitating “minor, temporary changes” to store operations to protect customers and the business. Stores remained open, and the website and app were reported as operational. M&S engaged external cybersecurity experts to investigate and manage the incident.
- 14:31 BST: Reuters reported M&S’s acknowledgment of the cyber incident, noting temporary operational changes but no specifics on the nature of the attack.
- 14:57 BST: The Guardian published a report detailing the incident’s impact on contactless payments and click-and-collect services, with M&S apologizing for delays.
Current Status and Impact
As of now, M&S continues to manage the cybersecurity incident with the help of external experts. The primary services affected include:
- Contactless Payments: Customers are experiencing difficulties with contactless payments in stores, leading to delays and frustrations.
- Click-and-Collect Services: The ability to pick up online orders in-store has been disrupted, causing inconvenience for customers who rely on this service.
- Gift Cards and Vouchers: Some stores are unable to process gift cards or vouchers, adding to the operational challenges.
M&S has assured customers that its website and mobile app remain operational, allowing for online shopping and other digital services. The company is working diligently to resolve the issues and restore normal operations as quickly as possible.
Conclusion
The ongoing cybersecurity incident at M&S highlights the critical importance of robust cybersecurity measures in the retail sector. As the investigation continues, M&S is taking necessary steps to mitigate the impact on its customers and business operations.
Update 29th April 2025
Cyberattack at Marks & Spencer involves Scattered Spider hackers
The disruptions have been traced back to a ransomware attack that encrypted M&S’s servers. The breach may have occurred as early as February, with attackers reportedly accessing the NTDS.dit file, a critical component of the Windows domain. This file contains password hashes, enabling unauthorised access to the network.
According to the BleepingComputer report, attackers allegedly deployed the DragonForce encryptor on VMware ESXi hosts, targeting virtual machines. In response, M&S has engaged cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to assist in the investigation and response efforts.
Scattered Spider is known for employing advanced social engineering techniques, including phishing and multi-factor authentication fatigue attacks, to gain unauthorised network access.