Marks and Spencer experienced a ransomware cyberattack on April 22, 2025, leading to data theft and operational disruptions across its stores. Despite assurances that no payment or account login details were compromised, sensitive customer information was illegally accessed.
Affected: Marks and Spencer customers, online order system, internal servers.
Affected: Marks and Spencer customers, online order system, internal servers.
Keypoints
- Marks and Spencer (M&S) confirmed a ransomware cyberattack encrypted servers and stole customer data.
- The attack occurred on April 22, 2025, impacting 1,400 stores and halting online order acceptance.
- The threat actors used DragonForce ransomware via Scattered Spider social engineering tactics.
- Encrypted VMware ESXi virtual machines hosted on M&S servers were disrupted during the attack.
- Stolen data included names, email addresses, home addresses, phone numbers, birth dates, order history, and masked payment details.
- M&S assured customers that no payment card information or passwords were compromised and prompted account password resets.
- The retailer warned customers to be cautious of potential phishing attempts claiming to be from M&S.