Marks and Spencer disclosed late on Tuesday the 22nd of April a "cyber incident" that has produced sustained operational disruption — online ordering suspended, click-and-collect operations halted, contactless-payment functionality affected at substantial fractions of stores, gift-card system disruption (M&S customer communications through April-May). The threat-actor attribution has, through subsequent reporting, firmed up to a Scattered Spider affiliate operating in concert with the DragonForce ransomware-as-a-service. The disruption is the most operationally consequential UK-retail-sector cyber incident in recent years.
The technical content. The initial-access vector is, on the public reporting, social-engineering-driven against M&S help-desk processes — consistent with the Scattered Spider operational pattern that I wrote about extensively in September 2023 (MGM and Caesars). The post-compromise activity included substantial dwell-time, lateral movement, exfiltration, and ransomware deployment against the affected operational systems. The ransomware payload is DragonForce, a relatively recent ransomware-as-a-service that has emerged from the post-Operation-Cronos and post-BlackCat-seizure cluster fragmentation as one of the operationally substantive successors.
The disclosure handling has been, by the standards of UK-retail incidents, substantively transparent. M&S CEO Stuart Machin has been publicly engaged with the disclosure and the operational-recovery posture has been visible through ongoing customer-and-public communication. The company's commitment to a no-pay posture (consistent with the post-Norsk-Hydro and post-Ireland-HSE doctrine) has been publicly articulated. The recovery-and-restoration timeline is multi-week and the operational-cost is going to be substantial — early estimates from analyst commentary put the operational disruption cost at approximately £30 million per week of disrupted operations, with the aggregate cost likely in the £150-300 million range when the recovery completes.
For the customer-portfolio response. The retailer in our customer-portfolio (the customer added in October 2017) operates in adjacent retail-sector market space and the customer-organisation operational concern about whether the same attack pattern could affect their operations has been substantive through the past several days. The customer-organisation programme work has continued the post-MGM/Caesars Scattered Spider-pattern defensive work — help-desk-process review, MFA-coverage-completeness audit, identity-and-privileged-access controls verification, incident-response readiness exercising. The customer-portfolio detection content has incorporated the Scattered Spider/DragonForce TTPs.
The wider UK-retail-sector exposure. The post-M&S customer-organisation conversations across the broader UK retail sector have been substantive through the past several days. The Scattered Spider cluster's targeting pattern through 2023-2025 has been, in part, driven by the high-volume operational systems and time-sensitive customer-service exposure that creates payment pressure. The UK-retail-sector matches the targeting profile and the wider UK-retail-sector defensive posture is, on average, less mature than the customer-portfolio work has produced. The 2025 trajectory of UK-retail-sector cyber-incidents will, on the post-M&S evidence, continue to be substantive.
I will return to this. The M&S situation will continue to develop and the broader UK-retail-sector implications will be a substantive 2025 theme.