Marks and Spencer cyberattack disrupts operations as teenage hackers demand ransom

A recent cyberattack has caused massive disruption to Marks & Spencer’s operations, with a group known as “Scattered Spider” allegedly behind the breach. Reports suggest the teenage hacking group gained entry into M&S systems earlier in the year, employing sophisticated techniques to compromise the retail giant’s IT network.

The attack, which first surfaced publicly last week, has forced M&S to suspend online orders and delay click-and-collect services. Customers have been advised to wait for confirmation emails before attempting to collect their purchases, while nearly 200 agency staff at the company’s Castle Donington distribution centre have been sent home as operations remain paused. Agency workers reportedly account for 20 per cent of staff at the warehouse, highlighting the scale of the disruption.

Sources close to the incident have revealed that the hackers may have stolen sensitive data by accessing the retailer’s NTDS.dit file, part of the Windows Active Directory. This file contains critical domain information, including user credentials, which could allow attackers to compromise the entire network. The hackers allegedly deployed the “DragonForce” ransomware, designed to encrypt systems and data, making them inaccessible without a decryption key.

Speculation suggests that any ransom demand could be as high as £10 million, following in the steps of previous attacks by Scattered Spider on major corporations. However, M&S has yet to confirm whether it has received or will comply with any ransom demands. Cybersecurity experts warn that paying ransoms not only encourages such attacks but also offers no guarantee that access to systems or data will be restored.

The attack has had significant repercussions for Marks & Spencer. It has locked out remote-working staff from some internal programmes and reduced network access as a precautionary measure. The retailer has also reported the incident to the National Cyber Security Centre and data protection authorities.

The emergence of Scattered Spider has alarmed industry experts. Known for targeting high-profile companies with well-planned attacks, the group uses social engineering methods such as SIM swapping and impersonation of IT staff to gain access. Earlier exploits have included breaching casino operators such as Caesars Entertainment, which paid a $15 million ransom to restore its systems. Experts describe the group as a collective of skilled hackers operating primarily in the UK and US.

The attack marks a major setback for M&S, which has seen renewed growth under CEO Stuart Machin’s turnaround strategy. The tightened security measures and operational backlog following the breach threaten to overshadow positive momentum recently achieved in sales and profits.