Marks & Spencer’s Cyber Attack: What Happened, What Was Lost, and What Every Business Can Learn

Easter Weekend Shock: M&S Hit by Major Cyber Attack

Easter weekend is usually a busy, cheerful time for Marks & Spencer customers. But this year, things took a dark turn. The beloved British retailer was blindsided by a cyber attack that threw its operations into chaos. Suddenly, shoppers couldn’t pick up their “Click and Collect” orders, contactless payments stopped working, and shelves started to empty out fast.

How the Attack Unfolded

It turns out, the attack had been brewing for months. Back in February 2025, cybercriminals quietly broke into M&S’s systems. According to security experts, they managed to steal a critical file from the company’s Windows domain-one that held password hashes for all users. By cracking these, the attackers gained deep access to the M&S network, eventually launching the notorious DragonForce ransomware to lock up virtual machines and disrupt services.

The Data Breach: What Was Stolen?

On May 13, Marks & Spencer confirmed the bad news: personal customer data had been compromised. Thankfully, the company reassured everyone that no payment or card details were affected, and no account passwords were leaked. Still, the stolen information included:

• Names

• Birth dates

• Home and email addresses

• Phone numbers

• Household details

• Online purchase histories

As a precaution, M&S reset all customer online account passwords.

What should customers do?
Cybersecurity experts recommend the following steps if you think you might be affected:

• Change your passwords and turn on multi-factor authentication

• Watch out for phishing emails or texts pretending to be from M&S

• Monitor your credit score and be careful about sharing personal info

• Double-check any communication claiming to be from Marks & Spencer

The Financial Fallout

The financial impact has been staggering. M&S’s market value dropped by over £700 million, and the company reportedly lost about £40 million every week the attack dragged on. According to the Financial Times, M&S may claim up to £100 million from its cyber insurance policy, with Allianz and Beazley among the insurers likely to pay out.

Why This Matters for Every Business

This attack isn’t just a headline-it’s a wake-up call for organisations everywhere. Here’s what we can all learn from the M&S cyber incident:

1. Take Identity and Access Management Seriously

The attackers got in by exploiting weaknesses in how M&S managed user access. This highlights why strong authentication (like multi-factor authentication) and strict password policies are essential. Regularly review who has access to what, and immediately revoke any unnecessary permissions.

2. Train Your People-And Keep Training Them

Hackers used social engineering to trick IT staff into resetting passwords. The best defense? Ongoing, practical cybersecurity training for every employee. Teach your team how to spot phishing attempts, verify suspicious requests, and always double-check before sharing sensitive info. Run regular cyber drills to keep everyone sharp.

3. Build and Test Your Incident Response Plan

Every organisation needs a clear, tested plan for what to do if (or when) a cyberattack happens. Make sure everyone knows their role, and practice your response with tabletop exercises. Good crisis communication-both internally and with customers-is just as important as technical fixes.

4. Invest in Cybersecurity Infrastructure

Don’t wait for a disaster to upgrade your defenses. Invest in advanced threat detection, frequent vulnerability assessments, and secure backup solutions. The faster you can spot and contain an attack, the less damage it can do.

The Big Takeaway

The Marks & Spencer cyber attack is a stark reminder that cyber threats are only getting more sophisticated. No one is immune-not even the most established brands. The best way forward is to make cybersecurity a top business priority, not just an IT issue. That means:

• Strong identity and access management

• Proactive employee training and awareness

• Clear, tested incident response plans

• Ongoing investment in security technology

Cybersecurity isn’t a luxury anymore-it’s a necessity for survival in today’s digital world.