Marks & Spencer (M&S) confirmed on 22 April 2025 that it had fallen victim to a cyber incident over the Easter Bank Holiday weekend, which remains ongoing. The attack disrupted key in-store services across the UK, preventing the use of contactless payment systems and Click & Collect services, in addition to preventing customers from shopping online. The incident caused delays for customers and operational strain during one of the year’s busiest shopping periods.
M&S Chief Executive Stuart Machin publicly acknowledged the incident, explaining that temporary adjustments to store operations had been made “to protect you and our business.” These adjustments included the shutdown of self-service check-outs, which (whilst affecting customers experiences) signalled a proactive approach rather than a reactive scramble.
The statement, whilst giving no information on what happened, or when, was met with a largely sympathetic response from M&S’s customer base, commenting particularly on the helpfulness (and knowledge) of staff in their local stores. M&S has also been quick to respond to questions via social media from customers regarding their orders, resulting in further good feedback.
Industry experts believe that M&S was hit by ransomware, obtained through the growing phenomenon of ‘ransomware as a service’ (where an organised crime group sells malware to a criminal attacker, enabling them to orchestrate an attack, in return for a cut of the ransom payment).
The group believed to be behind the attack, Scattered Spider, are said to use tactics such as social engineering, where hackers will trick people into letting them into their systems – for example by impersonating staff, central services or SIM swapping.
If it is ransomware, M&S will likely be facing a decision of to pay or not to pay. It is clear that this attack has been designed to leverage maximum pressure and it is currently unclear when M&S will be in a position to recover. However, payment of a ransom does not guarantee the end of an attack.
Whilst the investigation continues and there is no current evidence of data compromise, regulatory scrutiny is likely. If any customer claims do emerge, M&S’s initial handing of the incident may prove vital in mitigating legal and reputational fallout.
The incident serves as a reminder that in cybersecurity, perfection is a myth. Breaches happen even to the most prepared businesses. The real differentiator is how they are handled. M&S’s customer-focused approach offers a useful case study for other organisations navigating a world where cyber resilience is no longer optional.
How can we help?
If you believe your business may have fallen victim to a cyber incident, our Commercial Disputes team is here to help.
