Marks & Spencer Ransomware Attack: What We Know, What We Don’t, and Why It Matters for Every Business

Have you ever woken up to a headline announcing a major retailer was crippled by hackers—wondering, “How could this happen?” That’s the unsettling reality Marks & Spencer (M&S) faced this year, as its chairman Archie Norman publicly confirmed a ransomware attack that shook the company to its core. But did they pay the ransom? How did the attackers get in, and what does this mean for the future of cybersecurity in the UK? Let’s unpack the facts behind the M&S ransomware attack, the tough decisions made behind closed doors, and the bigger lessons every business leader—and customer—should take to heart.

The M&S Ransomware Incident: A Shockwave Through UK Retail

On July 8, 2024, Archie Norman, chairman of M&S, gave rare public testimony before the UK Parliament’s Sub-Committee on Economic Security, Arms and Export Controls. The topic? A devastating ransomware attack in April, linked to the notorious DragonForce group operating under the broader “Scattered Spider” hacking collective. It wasn’t just a technical breach—it was an existential threat to one of Britain’s most beloved retailers.

Norman’s candour pulled back the curtain on a world few outside of cybersecurity ever see. He described the experience as like “nothing he had ever experienced in years working in business and retail.” Imagine running a company with 50,000 staff, only to have cybercriminals suddenly threaten your ability to serve customers—potentially destroying decades of brand trust overnight.

Who Was Behind the M&S Ransomware Attack? Inside DragonForce and Scattered Spider

Let’s start with the basics: who are these attackers? The breach was traced to DragonForce, a ransomware group that works in tandem with “loosely aligned” threat actors, notably the infamous Scattered Spider collective. This isn’t the first high-profile hack attributed to them—recent months have seen attacks on other British institutions, including Co-op and Harrods.

DragonForce is known for sophisticated tactics, often leveraging social engineering—tricking people, not just technology. According to reports (see The Record’s coverage on Scattered Spider), the attackers gained access to M&S networks through compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing partner. In other words, this wasn’t about a single unlocked door—it was about finding the weak link in a global supply chain.

“It’s very rare to have a criminal actor…seeking to stop customers shopping at M&S—essentially trying to destroy your business for purposes that are not entirely clear but partly undoubtedly ransom and extortion.”
— Archie Norman, M&S Chairman

How Hackers Infiltrated M&S: A Masterclass in Social Engineering

You might picture hackers as shadowy figures hammering away at code. But the reality is often more human—and more unsettling. Here’s roughly how the attack unfolded:

Compromised Outsourced Credentials: Attackers obtained login info from a third-party supplier—specifically, TCS.
Wide Attack Surface: With 50,000 staff, contractors, and legacy systems, M&S presented multiple entry points.
Social Engineering: Instead of brute force, the attackers used psychological manipulation—phishing, spear phishing, or similar methods—to trick employees into granting access.
Lateral Movement: Once inside, hackers moved from system to system, exploiting the lack of segmentation in legacy IT infrastructure.
System Shutdowns: In a bid to contain the attack, M&S had to shut down significant parts of its network—crippling online shopping and core business functions.

Here’s why that matters: No business is an island. Even the best internal security can be undermined if a vendor or partner is compromised. This is a wakeup call for anyone relying on outsourced IT or cloud services.

Ransom Demands and the Question No One Will Answer

True to the script of a high-stakes thriller, the attackers didn’t even contact M&S directly until a week after first gaining access. By then, Norman and his team had already shut down systems to stem the bleeding.

So, did M&S pay the ransom? That’s the million-pound question. When pressed by Parliament, Norman declined to answer directly. Instead, he described it as a “business decision,” noting:

“Once your systems are compromised you have to rebuild anyway. Maybe they’ve exfiltrated data you don’t want published, but in our case, substantially the damage had been done.”

This is crucial. Paying a ransom isn’t a simple fix. Even if you hand over the money, there’s no guarantee you’ll get your data back—or that it won’t be sold or leaked anyway. And publicly admitting to a payment can attract more attacks.

Why companies hesitate to admit ransom payments: – Reputational risk: Admitting payment may appear weak, embolden attackers, and shake customer trust. – Legal grey areas: In some cases, ransom payments could violate sanctions or regulations. – No guarantees: Paying doesn’t always restore systems or prevent data leaks.

This dilemma is at the heart of the cyber-extortion epidemic. And it’s one reason so many attacks go unreported, as Norman candidly acknowledged.

The Fallout: Business Impact and System Shutdowns

The M&S ransomware attack wasn’t just an IT problem—it was a full-blown business crisis. To stop the attackers moving further through their systems, M&S made the difficult call to shut down large portions of its IT infrastructure. The result?

Online shopping severely disrupted
Critical business processes paused
Major operational and financial impact

Norman admitted that M&S’s legacy systems made segmentation difficult, so isolating the breach meant widespread shutdowns. By contrast, competitors with more modern, segmented networks—like Co-op—were able to limit the blast radius.

The key takeaway here? System segmentation isn’t just technical jargon—it’s the difference between a bad day and a business disaster.

Compare and Contrast: How Co-op Weathered a Similar Storm

Just days after the M&S breach, Co-op was also attacked by the same group. Yet their story played out differently.

What did Co-op do right? – Heavily segmented systems: Only a specific zone was affected. – Online business and payment systems remained operational. – Limited data breach: Attackers accessed some member details (names, addresses, dates of birth), but not financial data.

Robert Elsey, Co-op’s Chief Digital and Information Officer, explained that “segregation” was their saving grace. Their experience shows how modern IT architecture can contain damage and keep customers safe—even when attackers breach the perimeter.

Here’s the lesson: Investing in modern, segmented systems pays off—not just for security, but for business resilience.

Communication and Crisis Management: M&S’s Unusual Ordeal

One of the most surreal aspects of the M&S attack? Much of the negotiation happened through the media, not direct channels. In Norman’s words:

“It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people allegedly attacking our business.”

That’s not just a bizarre anecdote—it highlights how ransomware groups are evolving. By using the media, attackers ramp up pressure on companies, aiming to force their hand publicly.

M&S made a strategic decision not to communicate directly with the attackers, instead relying on professional intermediaries. This approach is increasingly common, as direct negotiation can be fraught with risk and complexity.

The Bigger Picture: Underreporting of Cyber Attacks in the UK

Perhaps the most worrying revelation from Norman’s testimony was this: many major ransomware incidents in the UK still go unreported.

“We have reason to believe that two major cyber-attacks on two large British companies in the last four months have gone unreported…That’s a big deficit in our knowledge.”

Why does this matter? If businesses hide attacks, regulators, law enforcement, and even other companies miss critical intelligence about threats. That means slower responses, more victims, and emboldened criminals.

Norman advocated for mandatory reporting of “material” cybersecurity incidents—following the lead of the US and EU. Transparency helps everyone fight back.

For more on current UK guidance, see the National Cyber Security Centre’s recommendations.

What Every Business Can Learn from the M&S and Co-op Attacks

So, what does this all mean for you—whether you’re a business leader, IT professional, or just a concerned customer?

Here are the core lessons:

People are the weakest link. Social engineering attacks exploit human error, not just technical flaws.
Third-party risk is real. Your data is only as safe as your least secure supplier or partner.
System segmentation is essential. The more your critical systems are isolated, the less damage an attacker can do.
Prepare for the worst. Have incident response plans, crisis communications guidelines, and backups ready.
Transparency is a duty. Reporting attacks helps protect the wider business community.

Let’s break it down with actionable steps:

1. Invest in Cybersecurity Awareness Training

Make sure every staff member can spot phishing and social engineering attempts. Regular drills and updates are key.

2. Audit and Segment Your Systems

Review your IT infrastructure. Isolate critical systems wherever possible, and limit the access vendors and third parties have.

3. Build Relationships with Security Experts

Have a trusted network of incident response professionals, legal advisers, and communication experts before a crisis hits.

4. Develop Transparent Reporting Processes

Prepare to work with authorities like the NCSC and law enforcement. The sooner you report, the faster you can get help—and help others.

5. Secure Your Supply Chain

Demand high security standards from your vendors and partners. Regular audits and contractual requirements can help close gaps.

Why This Matters for Customers

As a customer, you might wonder: “Am I at risk?” In the case of M&S and Co-op, sensitive payment data wasn’t compromised—but names, addresses, and dates of birth were.

If you receive notifications about data breaches: – Change your passwords. – Enable two-factor authentication. – Monitor your accounts for suspicious activity.

And remember: companies are getting better at defense, but cybercrime is evolving just as fast. Your vigilance is part of the solution.

FAQ: Answers to Common Questions About the M&S Ransomware Attack

Was customer payment data stolen in the M&S ransomware attack?
No. According to public statements, the damage was mostly to business operations. Co-op reported some member data (names, addresses, dates of birth) was accessed, but payment information was not compromised.

Did M&S pay the ransom to the attackers?
M&S chairman Archie Norman declined to confirm or deny whether a ransom was paid, citing it as a “business decision.” This is common practice, as admitting payment can have legal and reputational consequences.

Who is DragonForce and what do they want?
DragonForce is a ransomware group tied to Scattered Spider, known for targeting large organizations and demanding ransom payments to restore access or prevent data leaks. Their motives are primarily financial.

How did the attackers get into M&S systems?
Attackers used compromised credentials from Tata Consultancy Services (TCS), an IT outsourcing partner, and leveraged social engineering techniques to infiltrate the network.

Could this happen to other UK retailers?
Absolutely. The attack surface for large retailers is broad, especially when legacy systems and third-party vendors are involved. That’s why robust cybersecurity and incident response plans are essential.

Is ransomware payment legal in the UK?
There is no specific law banning payment, but it’s a legal grey area—especially if the recipient is tied to sanctioned entities. Companies should seek legal counsel before considering payment.

Where can I learn more about protecting my business from ransomware?
Visit the National Cyber Security Centre’s ransomware guidance for up-to-date, authoritative resources.

Final Takeaway: Cyber Resilience is Everyone’s Business

The M&S ransomware ordeal isn’t just a headline—it’s a blueprint for the risks facing every business in the digital age. From social engineering exploits to tough choices on ransom payments and the critical need for system segmentation, the attack offers hard-won lessons for organizations of all sizes.

If there’s one thing this saga proves, it’s that cybersecurity is not just an IT problem—it’s a business imperative. Whether you’re an executive, an IT manager, or a customer, stay informed, stay vigilant, and demand transparency from the companies you trust.

Want more insights on cybersecurity and digital risk? Subscribe to our newsletter and stay one step ahead of the latest threats.

If you found this article helpful, share it with a colleague or friend who cares about digital safety. Together, we can build a safer, smarter business community—one lesson at a time.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Qantas Data Breach: What 5.7 Million Customers Need to Know Now (And How to Protect Yourself)

Trump’s Historic $1.23 Billion Cybersecurity Budget Cut: What It Means for America’s Digital Defenses

Silk Typhoon Suspect Arrested in Milan: What the High-Stakes Hacker Bust Means for Cybersecurity

CISA at a Crossroads: What Workforce Cuts and Paused Partnerships Mean for America’s Cybersecurity

Cybersecurity for Small Businesses: 15 Essential Tips to Protect Your Company from Modern Threats

Catwatchful Spyware Leak Exposes 62,000 Users—and Its Own Admin: What Android Owners Must Know