Date: 8 May 2025
Easter weekend didn’t go as planned for Marks & Spencer - one of the UK's favourite retailers for clothes, food and more. The industry giant fell victim to a cyber attack that deeply disrupted its operations. Customers were unable to access the Click and Collect service and even contactless payments were inaccessible.
Apparently, the attack began as early as February 2025, when threat actors infiltrated the company's systems, reportedly stealing the Windows domain's NTDS.dit file—a critical component containing password hashes for all domain users. By cracking these hashes, the attackers gained unauthorised access to M&S's network, eventually deploying the DragonForce ransomware (as per experts) to encrypt virtual machines and disrupt services.
Download our Marks & Spencer Cyber Attack Timeline and Cyber Attack Visual Summary!
Thanks to the Marks and Spencer brand value and its widespread popularity globally, the cyber attack has been making headlines everyday. We’ve compiled everything we know so far in our M&S Cyber Attack Timeline.
The detailed document is accompanied by a visual summary that you can quickly go through to understand what exactly happened to your preferred clothing brand.
It’s important to note that apart from bruising the M&S reputation, this breach led to a major financial loss for the company. M&S's market value plummeted by over £700 million, and the company faced estimated losses of £40 million per week due to the attack as per Reuters.
This incident contains many telling lessons for organisations of all sizes and industries on the importance of cybersecurity readiness. Robust Cyber Incident Planning and Response can no longer be an after-thought for any business. It’s an urgent business priority for survival itself. Not just that, it’s also critical to rehearse for evolving cyber threats with professionally-conducted cyber tabletop exercises. These mock drills will give your teams the confidence they need to respond to a real cybersecurity incident. Hopefully they will be able to mitigate the damage before consequences such as those seen in the case of M&S begin to spiral.
Key Lessons for Organisations from the M&S Cyber Attack
1. Prioritise Identity and Access Management
The attackers exploited weaknesses in M&S's identity and access controls. This highlights the need for robust authentication mechanisms. Implementing multi-factor authentication (MFA) and enforcing strong password policies are non-negotiables in the current cyber threat landscape.
The M&S attack also serves as a reminder to regularly audit user access. Regular auditing of user access privileges involves periodically reviewing and verifying the access rights granted to each user. This ensures that individuals only possess the necessary permissions for their specific roles and responsibilities. Any unnecessary or excessive access should be promptly revoked to minimise the potential attack surface.
2. Enhance Employee Awareness and Training
Social engineering tactics played a role in the M&S attack. Hackers, apparently, employed social engineering tactics to deceive IT workers into resetting passwords in order to gain access to systems.
A critical layer of defence against such tactics is comprehensive and ongoing cybersecurity training for all employees. Regular cybersecurity training for employees can help them recognize and respond appropriately to suspicious activities. It's imperative to offer cybersecurity training to managers and team leaders so they can guide and advise their teams on healthy cybersecurity behaviours.
This training should equip them with the knowledge and skills to identify subtle indicators of phishing emails. Suspicious sender addresses, grammatical errors, urgent or threatening language, and requests for sensitive data are all signs employees should naturally be wary of. Employees should also be educated on how to verify the authenticity of communications and individuals before taking any action.
Regular simulated cyber drills can further reinforce learning and assess the effectiveness of the training. By fostering a security-conscious culture where employees are vigilant and empowered to report suspicious activities, you can significantly reduce your vulnerability to social engineering attacks.
3. Develop and Test Incident Response Plans
A well-defined and regularly tested incident response plan is crucial for minimising the impact of cyber attacks. Every organisation today has to prioritise having a robust cyber incident response plan. This plan should be crisp, to-the-point and fluff-free.
It should encompass the necessary steps to be taken before, during, and after a cyber incident. It must establish clear roles and responsibilities for each team member involved in the response process. When everyone knows their specific duties, execution of the response strategy becomes seamless.
Crisis communications are a critical component of effective cyber response. It's important to facilitate seamless information flow among internal teams and external stakeholders, including customers, partners, and regulatory bodies. Additionally, recovery procedures should be detailed and robust, focusing on restoring normal operations as quickly as possible while preserving data integrity and security.
To ensure that your IR plan actually holds water, test is regularly with cyber tabletop exercises. These cyber attack simulation drills test how effective your plan is and how familiar your team is with their roles and responsibilities. They allow for continuous improvement and adaptation to emerging threats. This proactive approach ensures minimal downtime and quick mitigation of potential damage from a cybersecurity incident.
4. Invest in Cybersecurity Infrastructure
The Marks & Spencer incident underscores the critical importance of ongoing and substantial investment in cybersecurity infrastructure. This includes the deployment of advanced threat detection systems that are capable of identifying and responding to potential threats in real-time. This can help prevent cyber incidents from escalating into full-blown security breaches.
Additionally, regular vulnerability assessments are essential to identify and rectify weaknesses within the system before they can be exploited by malicious actors. These assessments should be comprehensive and frequent, ensuring that all potential entry points are secured. Secure backup solutions are vital to protect data integrity and ensure business continuity in the event of a cyber attack.
By implementing these proactive measures, you can significantly enhance your ability to detect and mitigate threats. Investing in such robust cybersecurity infrastructure is not just a defensive strategy but a necessary step towards safeguarding the future of the business in an increasingly digital world.
Download our M&S Cyber Attack Timeline to Know how the incident impacted the retailer and how they responded.
Conclusion
The M&S cyberattack serves as a critical reminder of the evolving cyber threat landscape. It is becoming increasingly sophisticated and relentless and nobody is being spared.
This incident underscores the importance of implementing comprehensive cybersecurity strategies that are not only robust but also adaptive to the changing nature of cyber threats. Identity and access management has to be made a top priority. The same applies to employee training and building solid cyber incident response plans and processes. Cyber Tabletop Exercises must be a business mandate.
Further, investing in cybersecurity infrastructure, such as advanced threat detection systems and regular vulnerability assessments, is essential to identify and mitigate threats before they can cause significant harm.
Cybersecurity is no longer a luxury but a necessity in today's digital world, where the stakes are higher than ever. Read our M&S Cyber Attack Timeline to truly grasp the impact a cybersecurity breach can have on modern businesses.
