Pierluigi Paganini
May 13, 2025
In April, Marks and Spencer Group plc (M&S) announced it had been managing a cyber incident in recent days with the help of external cyber security experts. Customers report outages affecting card payments, gift cards, and M&S’s Click and Collect service across electronic payment systems.
“Marks and Spencer Group plc (the Company, or M&S) has been managing a cyber incident over the past few days. As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal.” reads the Cyber Incident Update published on the London Stock Exchange.
“The Company has engaged external cyber security experts to assist with investigating and managing the incident.”
The company immediately reported the incident to the relevant data protection supervisory authorities and the National Cyber Security Centre. The company did not share technical details about the attack.
M&S is a major British multinational retailer headquartered in London. Founded in 1884, it’s best known for selling clothing and home goods and food products. It is listed on the London Stock Exchange (LSE) and is a constituent of the FTSE 100 Index.
The company operates both physical stores and online services, with a strong presence in the UK and some international markets. It’s a household name in the UK, often associated with tradition, quality, and British heritage.
The DragonForce group claimed the attack on M&S and Co-op, and told the BBC that they have attempted to hack Harrods.
BleepingComputer reported that DragonForce ransomware affiliates used Scattered Spider social engineering tactics to target Marks and Spencer. The attackers encrypted VMware ESXi virtual machines used by the company.
This week, a cyber update published by the company on its website confirmed the data breach:
“To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.” reads the update.
“Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords.”
The stolen M&S data may include contact info, birthdate, order history, household data, and masked card details, but not full payment info. Some customer reference numbers from M&S credit cards or Sparks Pay may also be affected. No action is required, but customers should be cautious of potential phishing attempts, as M&S will never request personal account info.
“The personal data taken could include contact details – such as name, email address, addresses, telephone number – date of birth, online order history, household information and ‘masked’ payment card details used for online purchases. For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term ‘masked’.” states the company.
“In addition, if you have or previously had an M&S credit card or Sparks Pay, your customer reference numbers, which are not your credit card number or payment details, could also be included. Importantly, the data does not include useable card or payment details.”
M&S stated there’s no evidence the data was shared or included payment info or passwords, but customers will still be prompted to reset their passwords on next login.
The company recommends being cautious with unexpected emails or texts, using strong and unique passwords for each account, keeping devices updated with the latest security patches, and visiting the UK National Cyber Security Centre website for more guidance on data breaches.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, M&S)
