Marks & Spencer Hack Exposed Customer Data and Drove Major Retail Disruption
Marks & Spencer said a cyberattack exposed customer personal data and caused prolonged disruption across its retail operations, including suspended online orders, store outages, delivery problems, and empty grocery shelves. The company said stolen information included names, dates of birth, home and email addresses, phone numbers, household details, and online order histories, prompting password resets for online accounts. UK authorities, including the National Cyber Security Centre, worked with affected retailers and law enforcement as the fallout spread beyond M&S.
The attack has been linked in reporting to Scattered Spider and the DragonForce ransomware and extortion operation, with Co-op and Harrods also reported as targets around the same period. M&S later said the intrusion began through a contractor compromised via sophisticated social engineering rather than exploitation of a flaw in its own systems, and warned the impact would continue for months. The retailer estimated the incident would cut profits by about £300 million, with some losses expected to be offset through insurance and other recovery measures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
M&S reports profits almost wiped out after cyberattack
Later financial reporting said the cyberattack had almost wiped out M&S profits, underscoring the long-term business impact of the incident beyond the initial operational disruption.
M&S says disruption may last into July and profit hit could reach £300m
M&S disclosed that the cyberattack was expected to disrupt its online business into July and reduce annual profits by about £300 million, with the impact partly offset by insurance and other measures.
Co-op confirms customer data theft; NCSC engages with victims
Co-op later confirmed that customer data was also stolen in the related retail attacks, while the U.K. National Cyber Security Centre said it was working with affected organizations and law enforcement to understand the incidents.
M&S confirms customer personal data was stolen
M&S said attackers stole customer data including names, dates of birth, contact details, household information, and online order histories. The company said payment card details and account passwords were not exposed and began resetting online account passwords.
Reporting links M&S attack to Scattered Spider and DragonForce
Media reports and industry coverage linked the M&S intrusion to Scattered Spider, with DragonForce ransomware/extortion infrastructure also cited in connection with the attack.
Attacks on Co-op and Harrods linked to same wave emerge
Shortly after the M&S incident, similar cyberattacks were reported against other U.K. retailers including Co-op and Harrods, indicating a broader campaign affecting the sector.
M&S shuts down online orders and suffers store disruption
Following the intrusion, M&S suspended website orders and experienced operational disruption affecting stores, partner deliveries, and grocery availability, with reports of empty shelves and outages.
M&S detects cyber intrusion over Easter weekend
Marks & Spencer detected a cyber intrusion over the Easter weekend after threat actors reportedly gained access through a contractor using sophisticated social engineering rather than exploiting an M&S system vulnerability.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Marks & Spencer pauses online orders as firm struggles with cyber-attack fallout | Marks & Spencer | The Guardian
theguardian.com
Open sourceM&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian
theguardian.com
Open sourceM&S expects cyber-attack to last into July and cost £300m in lost profits | Marks & Spencer | The Guardian
theguardian.com
Open sourceM&S profits almost wiped out after cyber hack left shelves empty
bbc.co.uk
Open sourceM&S profits tumble after cyber attack | Computer Weekly
computerweekly.com
Open sourceM&S admits cybercrooks made off with customer info
theregister.com
Open sourceMarks & Spencer confirms customers' personal data was stolen in hack | TechCrunch
techcrunch.com
Open sourceScattered Spider: who are the hackers linked to M&S and Co-op cyberattacks? | The Week
theweek.com
Open sourceClothing shortages, food waste and millions lost each day: inside the M&S cyber-attack chaos | Marks & Spencer | The Guardian
theguardian.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marks & Spencer Cyberattack Causes Major Financial Losses and Operational Disruption
Marks & Spencer suffered a significant cyberattack in April that resulted in extensive operational disruption and a dramatic impact on its financial performance. The retailer reported that the incident led to a 55.4% drop in profits, with first-half earnings plunging to £3.4 million ($4.4 million) from £391.1 million ($510 million) the previous year. The attack forced the company to disconnect its warehouse management and online ordering systems, halting online and international sales for weeks. Home delivery resumed in June, and 'click and collect' services were restored in August, but sales in key departments such as fashion, home, and beauty declined by 16.4% during the reporting period due to the disruption. The total cost of the cyberattack is estimated at £136 million ($177.2 million), with £83 million ($108.2 million) spent on immediate response and recovery, and the remainder on legal and professional services. Marks & Spencer expects to offset much of these costs with a £100 million ($130.4 million) insurance claim. The incident is believed to be linked to the Scattered Spider hacking collective, with several arrests made in connection to this and other attacks on UK retailers. Despite the setback, M&S reported a 22.1% increase in overall revenues, though the cyberattack's impact on profits and operations was substantial.
Mar 21, 2026
Marks & Spencer Cyberattack and IT Helpdesk Contract Termination
Marks & Spencer suffered a major cyberattack in April 2025, reportedly linked to the Scattered Spider group, which used advanced social engineering tactics to impersonate senior executives and trick IT helpdesk staff into resetting critical login credentials. The attack led to the suspension of the retailer’s online shopping platform, failures in contactless payments, and significant supply chain disruptions, resulting in an estimated £300 million loss in operating profits. The incident drew public and parliamentary scrutiny, particularly regarding the role of Tata Consultancy Services (TCS), whose staff managed key support lines and password resets targeted by the attackers. Four individuals were arrested by the National Crime Agency in connection with the attack on M&S and other British retailers. In the aftermath, Marks & Spencer replaced TCS as its IT service desk provider, a decision both companies stated was the result of a procurement process that began before the cyber incident and not a direct response to the breach. TCS continues to provide other IT services for M&S, including data center management, while cybersecurity services are handled by other vendors. The breach and its fallout have prompted M&S to reassess its digital operations, cybersecurity posture, and vendor management strategies, with full restoration of some services, such as Click & Collect, only achieved months after the attack.
Mar 21, 2026
Mango Customer Data Breach via Compromised Marketing Vendor
Spanish fashion retailer Mango experienced a data breach after one of its external marketing service providers was compromised, resulting in the exposure of customer information. The breach was discovered over the weekend and prompted Mango to immediately activate its security protocols to contain the incident. The compromised data included customers’ first names, countries, postal codes, email addresses, and phone numbers, but did not include last names, passwords, or financial information such as credit card or banking details. Mango emphasized that its own corporate infrastructure and IT systems were not affected by the breach, ensuring that business operations continued without disruption. The company notified affected customers via email, providing details about the nature of the breach and the specific data involved. Mango also reported the incident to the Spanish Data Protection Agency (AEPD) and other relevant authorities in compliance with regulatory requirements. The company established a dedicated email address and telephone hotline to support customers with concerns about the breach. Mango advised customers to remain vigilant for suspicious communications or requests for unusual actions, as the exposed data could be used in phishing attacks. The incident highlights the growing risk of supply chain attacks, where third-party vendors become the entry point for cybercriminals targeting large organizations. Mango’s swift response and transparency in communication were noted, as the company reassured customers that no sensitive financial or authentication data was compromised. The breach is part of a broader trend of cyberattacks targeting retailers and their supply chains, with other major brands in Spain and globally having faced similar incidents in recent months. Mango’s case underscores the importance of robust vendor risk management and the need for continuous monitoring of third-party partners. The company reiterated its commitment to data protection and announced plans to review and strengthen its security measures to prevent future incidents. Customers were encouraged to contact Mango if they noticed any suspicious activity related to their personal information. The breach serves as a reminder for organizations to ensure that their external partners adhere to stringent cybersecurity standards.
Mar 21, 2026