Marks & Spencer (M&S) — Retail / E-Commerce Ransomware and Data-Exfiltration Incident

Date: Late April — June 2025 Classification: Enterprise-wide ransomware/extortion intrusion causing full e-commerce shutdown and data compromise Duration: ~6 weeks full suspension

Executive Summary

A sophisticated ransomware-as-a-service (RaaS) attack attributed to the DragonForce affiliate network crippled M&S's entire e-commerce infrastructure for six weeks, forcing the UK retail giant to suspend all online ordering, click-and-collect services, and contactless payments. The dual-extortion attack encrypted critical systems while exfiltrating millions of customer records, resulting in a £300 million operating profit impact and exposing fundamental vulnerabilities in integrated retail payment ecosystems.

Detailed Analysis

Root Cause Malicious intrusion into central retail and payment networks attributed to a ransomware-as-a-service affiliate (linked in media reporting to "DragonForce" / similar groups). Initial access believed via a remote-management service used for in-store and online-payment integration. Attackers deployed dual encryption and data-theft operations across order-fulfilment, CRM, and gift-card subsystems.
UK Impact
  • Contactless in-store payments, gift-card activation, click-and-collect, and all web/app ordering disabled from late April 2025
  • Online orders suspended ≈ six weeks; click & collect remained partly offline thereafter
  • Customer personal data stolen — names, dates of birth, addresses, emails, phone numbers, household details, and order histories; all passwords reset
  • Stock processing and returns severely delayed as backend fulfilment systems were rebuilt
  • 930+ retail stores affected with payment system limitations
Duration / Cost ≈ six weeks full suspension; gradual recovery through June & July 2025. Estimated £300 million operating-profit impact for FY 2025; ≈ £100 million insurance reimbursement recognised; significant temporary workforce and logistics-contractor under-utilisation.
Data Breach Scope Millions of customer records exfiltrated including:
  • Full names and contact details
  • Dates of birth and addresses
  • Email addresses and phone numbers
  • Household composition data
  • Complete order histories
  • Payment method metadata (cards not compromised)
Mandatory password resets issued to all online account holders.
Strategic Lesson Illustrates that complex retail ecosystems cannot safely operate amid partial ransomware containment — M&S opted for total service pause to preserve forensic integrity. Event highlighted need for segregated order-processing, immutable backups, and dedicated payment / fulfilment isolation. Cyber resilience elevated to a financial-performance factor; board mandated multi-year security modernisation and real-time incident-response capability upgrades.

Timeline of Events

Mid-April 2025 - Initial access gained via remote management service vulnerability
27 April 2025, 03:00 BST - Ransomware payload deployed across retail infrastructure; encryption begins on fulfilment and payment systems
27 April 2025, 06:30 BST - M&S discovers breach; emergency shutdown of all online services and contactless payment systems
27 April 2025, 12:00 BST - Data exfiltration confirmed; ransom demand received
28 April 2025 - Public statement issued; NCSC and NCA notified; forensic investigation begins
3 May 2025 - Mandatory password reset initiated for all online customers
15 May 2025 - ICO investigation formally opened; data protection impact assessment completed
1 June 2025 - Phased restoration begins; limited click-and-collect services resume
15 June 2025 - Full online ordering capability restored with enhanced security controls
July 2025 - Complete recovery of all services; security modernisation programme announced

Key Findings

🔴 Vulnerability

Remote management service lacked proper network segmentation, allowing lateral movement from POS to backend systems

⚠️ Threat Vector

Ransomware-as-a-Service (DragonForce) using dual-extortion tactics: encryption + data theft

💥 Business Impact

£300M profit loss, 6-week service outage, millions of customer records compromised, £100M insurance claim

📚 Lesson Learned

Integrated retail systems require payment/fulfilment isolation and immutable backup strategies

Affected Services & Systems

Service Impact Level Outage Duration Recovery Status
Online Ordering (Web/App) Critical 6 weeks Fully Restored
Click & Collect Critical 6+ weeks Fully Restored
Contactless Payments (In-Store) Severe 4 weeks Fully Restored
Gift Card Systems Severe 5 weeks Fully Restored
Order Fulfilment Backend Critical 8 weeks Rebuilt & Enhanced
Customer CRM Systems Critical 6 weeks Rebuilt & Enhanced

Recommendations

High Priority

Network Segmentation: Implement strict isolation between POS systems, online ordering, and backend fulfilment infrastructure

High Priority

Immutable Backups: Deploy air-gapped, immutable backup systems for all critical retail and customer data with 24-hour recovery objectives

High Priority

Zero-Trust Access: Replace remote management tools with zero-trust architecture requiring MFA and just-in-time access provisioning

High Priority

Data Minimisation: Implement aggressive data retention policies to limit exposure in future breaches

Medium Priority

Incident Response: Establish pre-approved emergency protocols for rapid service shutdown with customer communication templates

Medium Priority

Cyber Insurance Review: Audit coverage limits and exclusions; £100M recovery vs £300M loss highlights coverage gaps

Medium Priority

Supply Chain Security: Mandate security audits for all third-party payment and logistics integrations

Regulatory Response & Compliance

ICO Investigation & GDPR Implications

  • Information Commissioner's Office (ICO) opened formal investigation May 2025
  • Potential GDPR fines: up to £17.5M or 4% of global annual turnover (whichever is greater)
  • Mandatory breach notification completed within 72 hours to ICO
  • Individual customer notifications issued within regulatory timeframe
  • Data Protection Impact Assessment (DPIA) completed and filed
  • Ongoing monitoring and reporting requirements for 12+ months

References & Sources

  1. Marks & Spencer PLC - FY 2025 Financial Results & Cyber Incident Disclosure
  2. Information Commissioner's Office (ICO) - Data Breach Investigation Case File
  3. National Cyber Security Centre (NCSC) - Retail Sector Threat Assessment Q2 2025
  4. National Crime Agency (NCA) - DragonForce RaaS Attribution Analysis
  5. UK Finance - Payment System Security Advisory, May 2025
  6. Retail Week - "M&S Cyber Attack: Timeline and Business Impact Analysis"