Marks & Spencer (M&S), the iconic British retailer, has lately been under the limelight for the wrong reasons! The brand is grappling with the aftermath of a significant ransomware attack that has disrupted its business and raised concerns about supply-chain vulnerabilities across the retail sector.
The incident, which came to light in mid-April, began when cybercriminals impersonated a trusted third-party contractor and convinced M&S’s staff to reset system credentials. This sophisticated social engineering tactic granted attackers access to the retailer’s internal networks, enabling them to deploy the DragonForce ransomware strain.
Operations Disrupted and Financial Toll
As a result, M&S was forced to shut down its online clothing and furniture operations, leaving customers unable to place orders or access parts of the retailer’s digital services. The financial toll has been severe, with the company estimating losses of up to £300 million in operating profits. M&S has since been working with UK law enforcement and the FBI to investigate the breach and determine the full extent of the damage.
In statements to the press, M&S leadership confirmed that while their food operations and physical stores remained unaffected, the online business would likely not be fully restored until October or November 2025. That’s six months of halt for the online business with significant financial strain that may take even longer for the brand to recover from.
Call for Mandatory Disclosure Laws
Chairman Archie Norman has used the incident as a platform to call for changes in UK legislation, urging the government to introduce mandatory disclosure laws for significant cyber incidents. He expressed concern that other major breaches in the UK have gone unreported, depriving businesses of critical threat intelligence that could help prevent similar attacks.
Lessons for the Industry
This attack on M&S pinpoints the growing threat posed by sophisticated ransomware groups, particularly those willing to exploit trusted business relationships through social engineering. Cybersecurity experts are warning that even with advanced technology controls in place, organizations are still highly vulnerable to human error or manipulation. As businesses across industries increasingly rely on complex digital ecosystems and external vendors, the need for stronger third-party risk management and rapid incident disclosure has never been more urgent.