Cyber Security

M&S Data Breach Exposes Customer Information

by William
by William
Cyber Security Matters. Spread the Word.

Marks and Spencer has confirmed that customer personal data was stolen during a cyber attack that began in April 2025. The M&S Data Breach compromised names, addresses, contact details, dates of birth, and online purchase histories of customers. This incident has cost the company over £1 billion in market value and continues to disrupt operations.

The Attack Timeline and Impact

The M&S data breach began as early as February 2025, when threat actors first breached the company’s systems. Hackers reportedly stole the Windows domain’s NTDS.dit file, which contains password hashes for all domain users. This critical security component gave attackers the keys to access M&S’s network infrastructure.

The attack became public on April 22, when M&S first acknowledged a “cyber incident” to the London Stock Exchange. Since April 25, the retailer has been forced to:

  • Suspend all online orders
  • Limit Click & Collect services
  • Take payment systems offline
  • Restrict stock deliveries to stores
  • Pause job applications on its website

CEO Stuart Machin confirmed the data breach on May 13, stating: “Unfortunately, some personal customer data has been taken. Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords.”

Who Is Behind the Attack?

Security experts have linked the attack to two notorious hacking groups:

  1. Scattered Spider: A loose collection of English-speaking hackers known for sophisticated social engineering tactics. The group consists of approximately 1,000 young men and teenagers from the UK and US.
  2. DragonForce: A ransomware cartel that provides malware and infrastructure to other hackers through an affiliate program.

The attack shows the hallmarks of Scattered Spider’s tactics while using DragonForce’s ransomware to encrypt M&S’s virtual machines. This combination makes it particularly dangerous.

Financial Impact and Response

The cyber attack has dealt a severe financial blow to M&S:

  • Over £1 billion wiped from market value
  • Share price down more than 15% since Easter weekend
  • Estimated losses of £15 million in profits weekly
  • Potential cyber insurance claims of up to £100 million

Deutsche Bank estimates the total financial impact could reach £30 million and counting. The company has engaged multiple security firms to help contain the breach, including CrowdStrike, Microsoft, and Fenix24.

What Information Was Compromised?

According to M&S, the stolen data includes:

  • Customer names
  • Email addresses
  • Physical addresses
  • Phone numbers
  • Dates of birth
  • Household details
  • Online purchase histories

The company has stressed that no payment card details or account passwords were compromised. However, as a precaution, M&S is forcing password resets for all online accounts.

How to Protect Yourself

If you are an M&S customer, take these steps to safeguard your information:

  1. Reset your M&S account password and use a unique, strong password
  2. Enable multi-factor authentication where available
  3. Be vigilant for phishing attempts claiming to be from M&S
  4. Verify all communications by contacting M&S directly through official channels
  5. Monitor your accounts for suspicious activity
  6. Do not click on links in emails or messages claiming to be related to the breach

As operations director Jayne Wall advised customers: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.”

Broader UK Retail Cyber Attacks

The M&S breach is part of a larger cyber attack campaign targeting UK retailers. Both Co-op and Harrods have recently suffered similar attacks, suggesting a coordinated effort against the UK retail sector.

The National Crime Agency, Metropolitan Police, and National Cyber Security Centre are investigating all three incidents. Google security analysts warn that US retailers may also be targeted next.

John Hultquist, a threat analyst at Google’s cybersecurity division, stated: “The actors are aggressive, creative, and particularly effective at circumventing mature security programs.”

Lessons for Organisations

The M&S breach highlights several critical security vulnerabilities that all organisations should address:

  1. Strengthen identity and access management: Implement robust authentication mechanisms and regularly audit user access privileges.
  2. Enhance employee awareness: Train staff to recognise social engineering tactics and phishing attempts.
  3. Develop incident response plans: Create and test comprehensive plans for responding to cyber attacks.
  4. Invest in security infrastructure: Deploy advanced threat detection systems and conduct regular vulnerability assessments.

Organisations should view the M&S attack as a wake-up call to review their own security posture and implement more robust cyber security testing.

Frequently Asked Questions

What customer data was stolen in the Data Breach?

The compromised data includes customer names, birth dates, residential and email addresses, phone numbers, household details, and online purchase histories. No payment card details or account passwords were exposed in the breach.

How did hackers gain access to M&S systems?

The M&S Data Breach began as early as February 2025, when threat actors infiltrated the company’s systems and reportedly stole the Windows domain’s NTDS.dit file—a critical component containing password hashes for all domain users. By cracking these hashes, the attackers gained unauthorised access to M&S’s network.

What is the financial impact of the M&S cyber attack?

The breach has wiped over £1 billion off M&S’s market value. Deutsche Bank estimates the crisis is costing M&S around £15 million in lost profits each week, with a total hit of £30 million and counting. Shares have plunged over 12 per cent since the breach was disclosed.

Are M&S stores still open despite the cyber attack?

Yes, M&S physical stores remain open. However, some locations have reported issues with product availability, inventory management, and payment systems. The company is working to normalize operations while addressing the cyber security incident.

What should I do if I’m an M&S customer?

If you’re an M&S customer, reset your password the next time you log in to your account. Remain vigilant for phishing attempts claiming to be from M&S. Do not click on suspicious links or provide personal information to unverified sources. Monitor your accounts for any unusual activity.

Who is responsible for the M&S cyber attack?

Responsibility for the attack has been claimed by the DragonForce ransomware cartel, a group which runs a cybercrime affiliate programme. However, the tactics used bear hallmarks of the notorious English-speaking hacking gang known as Scattered Spider, which has been linked to past attacks on major firms including MGM Resorts and Caesars Entertainment.

Glossary of Technical Terms

Ransomware: Malicious software that encrypts a victim’s files, with attackers demanding payment to restore access.

NTDS.dit file: The primary database for Active Directory in Windows, containing user account information and password hashes.

Social Engineering: Psychological manipulation techniques used to trick people into revealing sensitive information or performing actions that compromise security.

Phishing: Fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity in electronic communications.

Password Hash: A transformed version of a password stored in a system’s database instead of the actual password.

Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication to verify a user’s identity.

Protect Your Business with Professional Security Testing

The M&S data breach demonstrates that even major corporations with significant resources remain vulnerable to cyber attacks. To protect your organisation from similar threats, consider engaging with professional penetration testing companies that can identify and address vulnerabilities before attackers exploit them.

Aardwolf Security offers comprehensive security testing services, including:

Our expert team can help your organisation identify weaknesses in your security posture and develop effective strategies to mitigate risks. Don’t wait until after a breach to take action.

Contact Aardwolf Security today to discuss how we can help protect your business from evolving cyber threats.


Cyber Security Matters. Spread the Word.

William is a seasoned cybersecurity professional with over a decade of experience in the realm of penetration testing. Having conducted hundreds of penetration tests for a diverse range of industries, Wiliam's expertise lies in identifying vulnerabilities and fortifying defences before they can be exploited by malicious actors. His meticulous approach to each penetration test ensures that clients receive comprehensive insights into their security posture, allowing them to make informed decisions about safeguarding their digital assets. Passionate about staying ahead of the ever-evolving threat landscape, William continuously updates his skills and methodologies to ensure that every penetration test he conducts meets the highest standards of thoroughness and accuracy. His dedication to the craft has not only protected countless organisations from potential breaches but has also solidified his reputation as a senior expert in penetration testing.

You may also like

What to Do If Your PC Can’t Run Windows 11 Because of TPM

IP Camera Penetration Testing

How to Disable OneDrive in Windows

Wireless Security Myths

How to Set Up Windows 11 for Maximum Privacy

What is the Best OS for Penetration Testing?

The Human Weakness Behind Social Engineering Attacks

What is HTTP Request Smuggling

The Evolution of Web App Security Over The Past 20 Years

4chan Hack: The Devastating 2025 Data Breach