M&S’s Cyber Incident: What Do we Know so Far?

Cyber incidents at large stores highlight the severe financial impacts cybercrime can have, ranging from regulatory fines and legal costs to lost revenue and customer churn. 

As attackers begin to utilise more sophisticated techniques like ransomware and supply chain. attacks, businesses must continually update and adapt their defences to maintain their competitive advantage. 

Throughout Easter Weekend, M&S customers first experienced difficulties with contactless payments and click-and-collect services.

On 22 April, the retail company confirmed it was experiencing a ‘cyber incident’.

Since then, M&S has faced an abundance of financial and reputational challenges, with its shares falling nearly 10% over the past week. 

The exact nature of the incident is yet to be reported.

In a statement on Instagram on 22 April, Stuart Machin, CEO of M&S, explained: “To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.

‘Importantly, our stores are still open, and our website and app are operating as normal. There is no need for you to take any action at this time, and if the situation changes, we will let you know.

‘We have been working hard with the best experts to manage this, and I want to thank them and my colleagues for their hard work.”

Here, Cyber Magazine uncovers all we know about M&S’s cyber incident so far.

Updates on customers and operations

After M&S confirmed it was experiencing a ‘cyber incident’, the retailer made a further update on 23 April, stating it was not “currently processing contactless payments, we have paused the collection of Click & Collect orders in stores, and there may be some delay to online order delivery times.”

It also made some of its processes offline.

William Wright, CEO of Closed Door Security, explains: "This latest update highlights that the incident is now having a material impact, with all online and app sales being paused. 

“This will create a huge inconvenience for customers and will also significantly impact M&S financially. 

“Data shows that almost a quarter on the store's sales happen online, so no matter how long this pause is put in place, it will hurt M&S financially.”

In M&S’s latest published financial results, approximately a third of its household and clothing goods sales in the UK were via online platforms. These sales were worth £1.268bn (US$1.7bn).

James Hadley, Founder and Chief Innovation Officer at Immersive, explains: "Data breaches like the one M&S experienced are not unique. While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities.

“No matter how big or small, breaches have the potential to damage an organisation's bottom line, making frequent cyber drills essential to limiting their impact.

"As the threat landscape continues to evolve, offering realistic crisis simulations is necessary to instil confidence in business leaders and give them the proof they need to better understand their organisation's cyber capabilities and shortcomings.”

On 25 April, M&S decided to cease taking orders on its apps and websites. Customers could still browse products online. 

After stating it would refund orders placed by customers on Friday (25 April), the firm’s shares fell by 5%. These recovered after. 

On 28 April, Sky News reported that approximately 200 agency workers were told not to come to work at M&S’s Castle Donington logistics centre for clothing and homewares. 

The Times has also reported that M&S has prevented remote-working employees from accessing some of its internal IT systems. 

Arda Büyükkaya, Senior Threat Intelligence Analyst at EclecticIQ, explains: “The ongoing fallout from the M&S cyberattack, with remote staff locked out of systems, customer services disrupted and a knock-on impact on its share price, is a stark reminder of how quickly a cyber incident can escalate into an operational and financial crisis.

“While the exact nature of the cyberattack still remains under investigation, such incidents in the retail sector are often linked to ransomware campaigns, DDoS attacks targeting customer-facing services, or compromises within the supply chain.

"Initial access is frequently achieved through targeted phishing campaigns aimed at employees, exploitation of vulnerabilities in unpatched public-facing applications, or the compromise of third-party vendor credentials. [...

“Retailers remain attractive targets because of the pressure to maintain continuity and the rich stores of sensitive data they hold. The M&S incident serves as a clear warning that cybersecurity resilience must now be treated as a core operational priority, not an IT problem.”

Potential ransomware

According to sources from BleepingComputer, Scattered Spider is said to be behind M&S's ongoing cyber incident.

It also discovered that this disruption is the result of a ransomware attack. However, this is yet to be confirmed by M&S themselves.

Scattered Spider was also responsible for the attack on the MGM Las Vegas hotels in 2023.

Robert McArdle, Director, Forward Threat Research, Trend Micro, explains: “Scattered Spider is not a group that is organised in the manner of traditional Ransomware groups we associate with Russian-speaking Cybercrime. They are a much looser connected network of individuals who assemble together for individual attacks and resemble the structure of Hacktivist groups like past activity of Anonymous.

"Scattered Spider has routinely targeted retail providers – as shown by the domain names registered by the group for use in phishing campaign efforts – so targeting M&S would be ‘on-brand’.

“Scattered Spider stands out in the techniques it uses to attack organisations. Drawing on deep Social Engineering expertise, it leverages helpdesk & phone-based social engineering, where malicious attackers pose as staff to trick an organisation’s IT department into resetting MFA or pushing password resets, and SIM-swapping & MFA fatigue, where malicious actors hijack SMS or push prompts and spam them until users accept an access request and let hackers into networks."

The disruption continues, with M&S struggling with lost sales, empty shelves in stores and a lower share price. 

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 

Cyber Magazine is a BizClik brand