£324M Vanishes: M&S Under Siege by Hackers

A,Hacker,Or,Cracker,Tries,To,Hack,A,Security,System

Major UK retailers crippled by coordinated ransomware attacks signal a global cyber “tipping point” that demands stronger defenses against foreign hackers preying on Western vulnerabilities.

Story Snapshot

Scattered Spider hacking collective targeted M&S, Harrods, and Co-op in spring 2025, causing £324M in losses for M&S alone.
M&S offline for 46 days, forcing manual operations and exposing supply chain weaknesses exploited by social engineering.
NCC Group CEO warns 2025 marks escalation with AI-driven threats ahead, not a one-off peak.
Millions of customers’ data stolen, highlighting retail sector’s systemic risks in interconnected digital infrastructure.

Coordinated Attacks Cripple Major Retailers

Scattered Spider hackers struck Marks & Spencer (M&S) over Easter weekend 2025, causing contactless payment failures and Click & Collect outages. The group deployed DragonForce ransomware, entering via compromised third-party vendor credentials. M&S suspended all online orders on April 25 after assessing the breach. By May 13, the company confirmed theft of customer names, contacts, and birthdates, but no full card details or passwords. Harrods contained its attack by May 3 with no data loss. The Co-operative Group suffered theft of all 6.5 million members’ data. These incidents within weeks exposed coordinated targeting of UK retail giants.

Operational Chaos and Massive Financial Losses

M&S endured 46 days without online clothing orders until June 10, reverting to pen-and-paper inventory in 1,400 stores. Employees manually checked fridge temperatures as food halls ran low and loyalty programs failed. The breach erased £324 million in sales, offset partially by £100 million insurance recovery. Contactless payments halted across stores, degrading customer service nationwide. Harrods maintained operations despite the attempt, but the Co-op faced ongoing fallout from its massive data breach. Law enforcement pinned Scattered Spider as the prime suspect, noting their phishing kit evolutions hosted on Cloudflare.

Supply chain compromises proved the key entry point, bypassing multi-factor authentication through credential theft rather than technical hacks. M&S CEO Stuart Machin detailed the scope in an open letter, emphasizing stolen personal data impacted millions. This operational paralysis underscores how ransomware now disrupts physical retail, not just digital theft.

Expert Warning: 2025 as Cyber Tipping Point

NCC Group CEO Mike Maddison declared 2025 a “tipping point” after recording 590 ransomware incidents in January and 886 in February. He stated cyber risk now intertwines directly with economic stability, predicting AI will supercharge phishing and vulnerability scans. Supply chains remain prime targets due to their complexity, amplifying ransom pressures. Maddison urged retailers to rethink security beyond current postures. The UK National Cyber Security Centre coordinated responses as breaches hit critical infrastructure.

Long-Term Threats to Economic Stability

These attacks reveal even well-resourced firms like M&S lack defenses against evolving threats like Scattered Spider. Global ransomware surged in early 2025, part of a trend since DragonForce emerged in late 2023. Retail’s reliance on shared vendors creates cascading risks across sectors. Expect regulatory scrutiny, higher insurance premiums, and eroded consumer trust in digital payments. As President Trump prioritizes American cybersecurity against foreign adversaries, these UK failures warn of similar vulnerabilities here. Common-sense fortifications, stronger vendor vetting and AI defenses, must counter government overreach in regulation while protecting free enterprise.

Cyber attacks ‘tipping point’ warning issued after Harrods and M&S targeted https://t.co/3znEutWzMb pic.twitter.com/mCmc0TxgZW

— The Independent (@Independent) December 29, 2025

Broader implications include shifts to cash transactions amid data fears, hitting 65,000 M&S staff with manual workloads. Industry leaders now reassess multi-factor enforcement and incident plans. Without action, economic disruptions will mount, echoing frustrations with weak past policies that left borders and networks exposed.