M&S's £300M Ransomware Attack: A Costly Lesson in Supply Chain Security
Ravi Teja
1
7-5In April 2025, Marks & Spencer suffered a major ransomware attack, primarily attributed to the DragonForce group and Scattered Spider network, which originated from a compromise of their third-party IT supplier, TCS, through social engineering. This incident led to severe operational disruptions, significant financial losses estimated at £300 million, and a personal data breach, highlighting critical vulnerabilities in supply chain security and human factors.
Attack Methodology
- The attack initiated with a compromise of Tata Consultancy Services (TCS), M&S's third-party IT helpdesk supplier.
- Hackers employed social engineering tactics, impersonating internal IT staff to gain credentials or password resets.
- Once inside, the DragonForce group deployed ransomware, encrypting servers and exfiltrating sensitive data, demanding a ransom (double extortion).
Operational & Financial Impact
- M&S's automated ordering, stock, and payment systems were shut down, reverting to manual processes.
- Online shopping was suspended for over six weeks, disrupting services like Click & Collect and loyalty programs.
- The attack is projected to cost M&S around £300 million in lost profit, making it one of the most expensive cyber incidents in UK retail history.
- Personal customer data (names, addresses, emails, order histories) was stolen, though no payment card details or passwords were compromised.
Threat Actors & Vulnerabilities
- The attack was linked to the DragonForce ransomware gang and the Scattered Spider network, known for targeting large organizations.
- The primary vulnerability exploited was in M&S’s supply chain, targeting a trusted third-party vendor (TCS).
- Social engineering succeeded due to staff being tricked into providing access, underscoring the risk of human error.