In this Tech Insight, we look at how a major ransomware attack on M&S could happen, who was behind it, how it caused such widespread disruption, and what it means for the company, its customers, and the wider UK retail sector.

What Happened and When?

To help understand how the cyber attack on Marks & Spencer unfolded, here’s a timeline of events from early disruption to the continuing impact on customers, stores, and services:

– 29–31 March. Customers across the UK reported issues with contactless payments and Click & Collect services in M&S stores. At the time, the problems appeared to be routine glitches.

– Early April. M&S confirmed it was dealing with a “cyber incident” and took key internal systems offline to contain the disruption.

– Friday 26 April. M&S suspended all online orders via its website and mobile apps as the situation escalated. Some stores began to report empty shelves. Food halls displayed signs blaming “technical issues” for limited product availability.

– End of April. Further disruption affected in-store services. Gift cards could not be used, food store returns were unavailable, and job applications were taken offline. Speculation grew over the cause and scale of the incident.

– By 2 May. Online shopping remained unavailable with no clear restoration timeline. In-store issues continued, and M&S had yet to confirm when normal operations would resume.

What Kind of Attack, and by Whom?

Cybersecurity researchers and law enforcement sources have since confirmed the incident was a ransomware attack, i.e. a form of cybercrime where attackers encrypt a company’s systems and demand a ransom in exchange for a decryption key.

The group thought to be behind the attack are a loose, English-speaking collective known as Scattered Spider (also known in some circles as Octo Tempest). The group of hackers has gained notoriety for previous high-profile hits, including on MGM Resorts and Caesars Entertainment in the US.

Different

It seems, however, that Scattered Spider operates differently from many of the more traditional ransomware gangs linked to Russia or Eastern Europe. For example, their tactics are sophisticated and often rely on “social engineering”, i.e. impersonating staff over the phone or via email, bypassing security by tricking help desks and IT teams into granting access. In some cases, they’ve used phishing, SIM-swapping, or multi-factor authentication fatigue techniques to break in.

Gained Access In February?

In M&S’s case, some reports suggest the attackers may have gained access as early as February, exfiltrating data before deploying the ransomware payload using malware linked to another group known as DragonForce. The malware encrypted access to vital servers, triggering the cascade of outages that followed.

Was It a Direct Hit, Or Through a Supplier?

One mystery that remains unresolved, however, is how the attackers actually gained entry in the first place. While M&S has not disclosed technical details, some industry insiders have suggested the compromise may have originated through a third-party supplier, a growing concern in the age of interconnected cloud platforms and shared vendor infrastructure.

This approach would make sense in terms of it being the same tactic used in previous Scattered Spider campaigns, where attackers exploited weaknesses in identity management systems like Okta or Microsoft Entra, or leveraged supplier access to leapfrog into target systems.

What’s the Damage So Far?

The fallout from the attack has been both operational and financial. Estimates of the damage caused include:

– £3.8 million in daily online sales lost. M&S’s e-commerce arm reportedly takes in nearly £4 million a day, all of which has ground to a halt.

– Over £500 million wiped from its stock market value. Uncertainty over the scale and duration of the attack spooked investors.

– Empty shelves and store disruption. Particularly in food halls, where logistics and supply chain systems were knocked offline.

– Job ads pulled and staff sent home. Over 200 vacancies vanished from the M&S careers page, and some warehouse workers were told not to come in due to low volume.

Beyond the financial hit, the reputational cost could, of course, be much worse. For example, customers expecting digital convenience, seamless returns, and reliable stock levels have been met with error messages and handwritten signs. For a retailer that prides itself on trust and quality, the breach has struck at the heart of the brand.

Harrods and Co-op Too

Worryingly for the retail sector, M&S isn’t alone. For example, within days, Harrods confirmed it too had been targeted by a cyberattack. While the impact appeared more contained (involving restricted internet access across its stores) it marked another breach of a high-profile UK retailer.

Meanwhile, the Co-op has confirmed that it was also the victim of a cyber attack affecting one of its IT systems. Although the company initially said the disruption had been contained by proactively shutting down affected systems, further investigation revealed that attackers were able to access and extract personal data. This is reported to have included names, contact details, and dates of birth linked to a significant number of current and former members.

However, the Co-op has stated that no passwords, payment data, or transaction history was compromised and that its loyalty and payment systems remain secure. That said, clearly the breach prompted a wider response involving the National Cyber Security Centre and the National Crime Agency. Customers have been urged to stay alert for suspicious activity, and the company has apologised while confirming that it is working closely with data protection authorities to manage the incident.

Although there has been no interruption to food supplies or store operations, the breach has exposed how even a relatively contained cyber event can present serious privacy and reputational risks. In a sector that depends so heavily on trust and repeat custom, this kind of incident can have lasting implications.

These incidents appear to follow an alarming pattern, i.e. it looks as though UK retailers are becoming increasingly attractive targets for cybercriminals looking to cause widespread disruption, and score a quick payday.

Why The Food Sector Is Now a National Cyber Target

While banks and energy firms have long been classed as “critical infrastructure”, attacks like the one on M&S have raised fresh questions about whether food supply chains should be treated with similar urgency.

For example, Dr Harjinder Singh Lallie of the University of Warwick has described the incident as a “red flag” for the food industry’s cyber readiness, and has warned that “attacks like these can seriously disrupt access to basic necessities.” The relevance of this point was all too clear as M&S shoppers saw bare shelves and delayed orders first-hand.

Also, cybersecurity experts have called attention to the knock-on effects of this kind of attack, i.e. a single ransomware attack can ripple across supply chains, logistics providers, warehouse networks, and even government services that depend on consistent delivery.

It seems that the interconnectedness of these systems makes them simultaneously efficient and dangerously vulnerable.

Lessons

Cybersecurity specialists have suggested that the attack on M&S highlights how modern hackers are no longer just exploiting technical flaws. For example, they are now increasingly targeting the trust between companies and their suppliers, employees, and service partners. Analysts have, therefore, stressed the need for stronger identity verification, tighter control over third-party access, and better training for frontline staff such as IT helpdesks. Many are also pointing to the importance of adopting “zero trust” models, where access to systems is never assumed and must be continually verified.

The Motivation for the Attack?

In the case of Scattered Spider, experts have noted the group’s unusual profile. For example, unlike many ransomware gangs based in Eastern Europe, this network appears to involve mostly English-speaking members, including individuals believed to be in their late teens. Their motivation appears to be a mix of financial gain with a desire for recognition, making them both capable and difficult to predict.

Gives a Playbook to Other Cybercriminals

It seems that while most experts agree that this was a criminal act rather than a state-sponsored one, some are warning that the response (or lack thereof) could embolden hostile states watching from the sidelines. As Ciaran Martin, former head of the UK’s National Cyber Security Centre, put it: “My national-level worry is that this gives other bad actors a playbook on how to disrupt Britain at scale.”

What Does This Mean For Your Business?

While the immediate concern for M&S remains restoring full operations and reassuring customers, the wider implications of these attacks are hard to ignore. The scale and severity of the disruption (coupled with the prolonged recovery timelines) have highlighted vulnerabilities not only in retail infrastructure but also in the broader digital supply chain that supports it. These were not just one-off disruptions. They were demonstrations of how a well-organised cyber attack can ripple across departments, damage customer trust, and expose operational dependencies that were previously taken for granted.

For UK businesses, particularly those in retail, food supply, and logistics, the M&S and Co-op incidents offer a sharp reminder that cyber risk is now an operational risk. Being online and interconnected brings enormous efficiency but also opens the door to increasingly sophisticated and persistent threats. The attacks have shown how a breach of one supplier or system can impact everything from stock levels to staff recruitment, and how quickly customer-facing services can grind to a halt.

There are clear lessons here for organisations of all sizes. For example, while investment in technology is essential, so too is investment in people, training, and crisis planning. Basic resilience, i.e. the ability to function when systems go offline, is becoming just as important as innovation. For shareholders, customers and employees alike, the expectation is not perfection but preparedness.

The incidents also raise important questions for regulators and policymakers. If food retail is now so central to daily life that a single ransomware attack can cause national disruption, then its classification as part of the UK’s critical infrastructure may need to be reconsidered. In that context, the M&S and Co-op breaches could act as a turning point and one that prompts a broader shift in how businesses and government work together to anticipate, contain, and recover from this kind of attack.

While M&S works to bring its systems back online and the Co-op continues its investigation, the broader industry is already watching, and hopefully, learning. The hope is that attacks like this don’t become the new normal. If they do, resilience needs to become the new standard.