Marks & Spencer has reopened its website weeks after a major cyber attack forced the retailer to suspend online orders and contactless services across the UK. Customers can now access a limited range of fashion and home items for delivery to England, Scotland, and Wales. Full services, including Click & Collect and Northern Ireland delivery, are expected to resume in the coming weeks.
The disruption began on April 25, shortly after Easter, and severely impacted the company’s operations, with contactless payments and online orders paused, and “pockets of limited availability” reported in physical stores. The website remained offline for several weeks as security protocols were reviewed and systems were restored.
£300 Million (₹3,180 crore) Loss and Third-Party Breach Confirmed
It was revealed that the breach originated from a third-party vulnerability and resulted in unauthorized access to M&S’s internal systems. The company cited human error as the trigger, denying that the incident was related to under-investment in cybersecurity.
According to official statements, the breach is expected to cost the retailer approximately £300 million (₹3,180 crore). While no payment card data or passwords were compromised, customer names, contact details, addresses, and order history were confirmed as stolen.
Cybersecurity experts were immediately brought in to contain the incident. Authorities and law enforcement agencies, including the Information Commissioner’s Office and the National Crime Agency, have been notified and are actively investigating.
DragonForce Tool Suspected, Customer Caution Urged
The attack was reportedly executed using the DragonForce cybercrime toolkit linked to recent incidents involving other UK retailers. This toolkit enables double extortion tactics, where data is both encrypted and stolen, with ransom demands made for both decryption and deletion of stolen files.
Although no direct claim has been made by DragonForce-affiliated groups, connections have been speculated, with Scattered Spider also being mentioned in relation to the breach. Investigations are ongoing, and the dark web has not shown any confirmed listings related to M&S data at this time.
M&S has informed customers that passwords were not compromised, but login prompts now require password resets as a precaution. The retailer advised that there is currently no evidence of the stolen data being shared or sold but urged vigilance.
“We have taken all necessary measures to secure our systems and protect customers,” the company said in a public notice.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing