Marks and Spencer Confirms Data Breach Following April Cyber Attack
May 13, 2025 
Marks and Spencer Group plc (M&S) has confirmed that adversaries successfully infiltrated its systems during a ransomware attack in April, leading to the theft of customer data. The company previously reported managing a cyber incident with the assistance of external cybersecurity professionals, which included interruptions to card payments, gift cards, and its Click and Collect services.
Following the detection of the cyberattack, M&S promptly altered its store operations to safeguard its customers and business continuity. In a public statement, the company emphasized, “Our stores remain open and our website and app are functioning as usual,” while expressing regret for any disruptions experienced by customers. The company has also engaged cybersecurity experts to aid in the investigation.
M&S promptly notified relevant data protection agencies and the National Cyber Security Centre about the incident, although it has not disclosed intricate technical details regarding the attack. Founded in London in 1884, M&S is a prominent British retailer recognized for its clothing, home goods, and food products. The firm has a strong presence in the UK market and is part of the FTSE 100 Index.
The perpetrator group, known as DragonForce, has claimed responsibility for the assault on M&S, and has also targeted other retailers, including Co-op and Harrods. Reports indicate that DragonForce affiliates utilized social engineering tactics, including Scattered Spider techniques, to compromise M&S’s virtual machines.
In a recent cyber update, M&S acknowledged the breach and outlined steps taken in response: “We took immediate measures to protect our systems and have been collaborating closely with government bodies and law enforcement.” The company confirmed that while some personal data was accessed, there is no evidence suggesting it has been disseminated. The compromised data could involve contact details, date of birth, and online order history, but importantly, it does not comprise usable payment card information or account passwords.
M&S also noted that certain customer reference numbers linked to credit cards or Sparks Pay services might be among the stolen data. Although the firm insists that sensitive details remain secure, customers are advised to exercise caution against potential phishing attempts, as M&S will never request personal information via email or text.
To bolster cybersecurity awareness, M&S encourages customers to adopt best practices, such as using unique passwords for different accounts, frequently updating devices, and remaining vigilant in their interactions online. For further information on protecting personal data, customers can visit the National Cyber Security Centre’s website.
This incident highlights the ongoing threats faced by organizations in today’s digital landscape. The methods employed by the attackers align with various tactics outlined in the MITRE ATT&CK framework—including initial access and privilege escalation—demonstrating the complexities of modern cyber threats.
As the situation develops, business owners are urged to remain informed and proactive in their cybersecurity measures.
Follow me on Twitter: @securityaffairs and Facebook.
(SecurityAffairs – hacking, M&S)
