Marks & Spencer (M&S), a cornerstone of British retail, has recently suffered a significant data breach, with the DragonForce ransomware group claiming responsibility for the cyberattack. The attack, which began around Easter of 2025, has had far-reaching consequences, impacting not only M&S's online operations but also its physical stores and customer data.

The ransomware attack led to the suspension of online orders, causing considerable disruption to customers. Initially, the incident affected contactless payments and click-and-collect services, before M&S paused all online orders through its app and website. The company has since reopened its website, allowing customers to purchase a selection of fashion items, homeware, and beauty products for home delivery in England, Scotland, and Wales. However, services to Northern Ireland and Click and Collect are expected to resume in the coming weeks.

The cyberattack also impacted M&S's physical stores, with some shelves left empty due to disruptions in the supply chain. The company has acknowledged "pockets of limited availability" in some of its shops. Moreover, services such as gift card processing and returns were also affected.

According to reports, the attackers infiltrated M&S's IT systems as early as February 2025, deploying ransomware that encrypted critical systems and disrupted operations across all 1,049 stores. The hackers allegedly stole sensitive domain data, including user credentials and employed a "DragonForce" encryptor to lock systems and demand a ransom.

M&S has revealed that some personal customer data was stolen during the attack. The compromised data could include contact details (such as names, email addresses, addresses, and telephone numbers), dates of birth, and online order history. However, the company has assured customers that the breach did not include useable card or payment details, or account passwords. To provide extra security, M&S is prompting customers to reset their passwords the next time they log in to their accounts.

The financial impact of the cyberattack is substantial. M&S estimates that the incident could cost the company around £300 million, equivalent to a third of its profit. The company may seek up to $133 million in cyber insurance coverage to mitigate the financial damage. M&S has suffered approximately £40 million per week in lost sales.

M&S has blamed "human error" for the cyberattack, with fingers pointed at an employee of Tata Consultancy Services (TCS), which provides IT services to the retail giant. There are also claims from insiders that M&S did not have a proper plan in place for handling a ransomware incident, although the firm officially disputes this, saying it did have robust business continuity plans.

The DragonForce ransomware group has claimed responsibility for the attacks on M&S, as well as other UK retailers such as Co-op and Harrods. The group reportedly offers cyber-criminal affiliates various services on their darknet site in exchange for a 20% cut of any ransoms collected.

The National Cyber Security Centre (NCSC) is providing assistance to M&S and other affected retailers. M&S is working with suppliers and partners to contain the incident and stabilize operations, taking proactive measures to minimize disruption for customers. The company is also seeking to accelerate the pace of improvement of its technology transformation and has found new and innovative ways of working.

The M&S data breach serves as a stark reminder of the growing threat of cyberattacks and the importance of robust cybersecurity measures. Companies must have comprehensive, tested plans in place to remediate ransomware attacks and other types of cybersecurity breaches. They should also carefully evaluate whether they are doing enough to defend their systems from concerted attacks by hackers, whether they arrive directly or via a third-party supplier.