Marks & Spencer Reopens Website Six Weeks After DragonForce/Scattered Spider Cyber-Attack—Retailer Warns of £300 m Profit Hit
Marks & Spencer (M&S) quietly reopened its clothing and home-delivery website late on Tuesday, restoring standard deliveries to England, Scotland and Wales 46 days after a “severe and highly sophisticated” cyber-attack forced the high-street stalwart offline. Delivery to Northern Ireland, click-and-collect and next-day services will follow “in the coming weeks,” the company said.
A £300 m Hole in This Year’s Profit Line
The forced shutdown, which began on 22 April and also froze contact-less payments in stores, is expected to carve about £300 m out of this year’s profit, executives told investors in May, sending the share price down by as much as 9 % at the time. Shares rebounded almost 4 % on news of the relaunch.
Two Hacker Crews—One Breach
Threat-intelligence analysts now link the breach to an alliance between DragonForce, a self-styled “ransomware cartel” that rents its malware to affiliates for a 20 % cut, and Scattered Spider, a loose community of mostly US- and UK-based social-engineering specialists notorious for last year’s $15 m extortion of MGM Resorts and Caesars Entertainment.
-
DragonForce: Active since 2023, the group has relaunched on major dark-web forums in recent months, marketing “ransomware-as-a-service” kits and boasting of attacks on Co-op and other UK retailers.
-
Scattered Spider: Known for SIM-swapping, IT-help-desk impersonation and multi-factor reset scams, the crew typically gains initial access through human manipulation rather than technical exploits. A 17-year-old UK member was arrested last July.
Sergey Shyekevich of Check Point Software says such partnerships are becoming common: “We’re seeing alliances between big groups more and more on the dark web.”
A Taunting Ransom Demand
Four days after the breach, DragonForce emailed chief executive Stuart Machin claiming to have “encrypted all the servers” and directing him to a Tor site to negotiate. “We have marched the ways from China all the way to the UK and have mercilessly raped your company,” the message read.
M&S has not confirmed whether any ransom was paid, but cyber-forensics experts note that the retailer retained usable back-ups, allowing it to rebuild systems rather than decrypt them.
Human Error—and a Third-Party Door Left Ajar
In the annual results report, Machin blamed “human error” by a technology supplier for creating the entry point. “We didn’t leave the door open through under-investment. Everyone is vulnerable; we were unlucky on that particular day,” he said.
National Investigation Widens
The National Crime Agency’s cyber-crime unit and the National Cyber Security Centre (NCSC) are investigating whether the M&S incident is linked to parallel attacks on Co-op and Harrods. The NCSC last month warned retailers that attackers are posing as IT-service staff to coax help-desks into password and MFA resets.
Deputy Director Paul Foster of the NCA urged companies to harden verification procedures and to report incidents promptly: “Identifying the criminals responsible and bringing them to justice is a top priority.”
What Customers Need to Know
M&S says personal data—including names, email and postal addresses and dates of birth—was accessed. No payment-card details were stored on the affected systems. The retailer is contacting anyone whose data was involved and advises customers to watch for phishing emails purporting to be from M&S or other retailers.
Retail Sector in the Cross-Hairs
The breach is the latest in a string of retailer incursions that security analysts attribute to Scattered Spider and its affiliates:
| Victim | Incident Window | Disruption |
|---|---|---|
| Co-op | Mar–Apr 2025 | Supply-chain chaos, site outage |
| Harrods | Apr 2025 | Temporary e-commerce shutdown |
| H&M | Jun 2025 | In-store payments offline for two hours |
The Wider Lesson
“Criminal activity online—ransomware and data-extortion in particular—is rampant,” the NCSC recently warned. “All organisations need to assume they could be next.”
For M&S shoppers, the next step is simply being able to fill a virtual basket again. For Britain’s retail sector, the priority is erecting stronger defences before the next Spider-Dragon alliance strikes.
Photo Credit: DepositPhotos.com