AI Autopsy: Five Lessons From The M&S Ransomware Attack

A month after the ransomware cyber assault, M&S is yet to get services back up and running. Kate O’Flaherty gives the crisis the AI autopsy treatment

In late April 2025, it emerged that retail giant Marks & Spencer (M&S) had fallen victim to a substantial cyber attack.

Thought to have been perpetrated by hacking collective Scattered Spider using the DragonForce ransomware variant, the attack was devastating on multiple levels.

It is believed that adversaries were able to gain access to M&S’ Active Directory Services, crack passwords and access privileged accounts to move laterally through the company network – stealing data and deploying ransomware.

The attack also resulted in empty shelves across M&S’ 1,400 stores, while the retailer was forced to disable contactless and Click and Collect services, and staff at a major logistics hub were told not to come into work.

M&S is still unable to take online orders, with disruption expected to continue until July. According to the retailer, the attack will cost around £300m.

A month in, the lengthy investigation into what happened is still ongoing. It’s likely more details will emerge, but it would be remiss not to take a look at the lessons the retail sector can take from this unprecedented attack at this mid-way point.

Communication with humility

When the attack took place, M&S boss Stuart Machin was praised for his transparency notifying customers that the retailer had been “managing a cyber incident”, and that it would make some “small changes” to operations in response.

Nick Harris, CISO at Assured – and former CISO at Holland and Barrett – thinks M&S deserves credit for its email communication: “It was well-worded, prompt and delivered with humility,” he tells Assured Intelligence.

“[Communication] was well-worded, prompt and delivered with humility” Nick Harris 

Shortly after the incident, M&S posted on its website, admitting that some customer data had been taken, but assuring consumers that their payment information remained safe.

Oli Venn, SE manager, northern Europe at WatchGuard Technologies also commends M&S’ “proactive approach” when informing customers about the data breach.

“This was a crucial step in maintaining trust,” Venn tells Assured Intelligence. “Open and honest communication, even when the news is difficult, demonstrates accountability and can help mitigate long-term reputational damage.”

However, while online communication was stellar, the message did not come across so well in M&S stores – at least at first, says Harris. “It’s important that a multi-channel retailer provides customer comms at all points of sale, including via well-informed store colleagues,” he says.

That said, within a few days, M&S had addressed the issue and better information became available in bricks and mortar stores. It highlights the importance of a multi-channel approach, especially for sectors such as retail, which operate both online and in store.

A ‘national treasure’ with legacy tech

A large customer base, combined with sometimes outdated and end-of-life IT systems, makes the retail sector particularly vulnerable to attack. This is especially true for firms that have been around for many years, says Harris. “Everything was built to be on premises, and upgrades take time, pressure and money.”

Additionally, a retailer’s IT estate is complex, including CCTV, till, back-office machines, handheld devices, digital shelf labelling, and warehouse operations and fulfilment. Each of these devices comes with individual update requirements and needs, says Harris. “This requires networks to be separate, but it isn’t simple. Sometimes there is operational technology and notoriously, that’s difficult to patch.”

It’s therefore integral to know your risk and take action to ensure you have the right measures in place. As part of this, Harris advises taking services away from people who don’t need them. “Get rid of privileged services on devices that don’t need them, and where they do exist, protect them with a password.”

You’re only as secure as your…

It was initially thought the attack was able to take place due to an adversary accessing the systems of a third party. Late in May, however, it emerged that Indian IT company Tata Consultancy is investigating whether it was the gateway for the cyber-assault.

This shows just how important it is that all companies assess their supply chain risk.

“If there is a managed service provider looking after your IT and they have privileged access to your network and account, they need to uphold the same degree of security,” says Assured’s Harris. “This is a good reason why the Cyber Security and Resilience Bill has a focus on MSPs,” he adds.

Third party security goes beyond simply issuing questionnaires, he says. “If you have granted strong privileges that would impact your business if compromised, spend time doing the due diligence.”

Firms should enhance third party risk management, particularly by extending employee training and awareness initiatives into the supply chain, Jano Bermudes, chief operations officer and partner, CyXcel tells Assured Intelligence. “Additionally, focus on improved layered defences, such as privilege management, anomaly detection, response, containment and detection.”

Education, education, education

As more details about the multiple recent UK retail hacks emerge, it appears the attackers used social engineering through the targeting of IT help desk support, to gain initial access to the systems of the targeted retailers. Hannah Baumgaertner, head of research at Silobeaker explains to Assured Intelligence: “Social engineering tactics such as these have also been observed in the past, including by Scattered Spider, the group suspected to be behind the attacks on M&S, Co-op, Harrods and Dior.”

“Social engineering tactics such as these have also been observed in the past by Scattered Spider, the group suspected to be behind the attacks on M&S, Co-op, Harrods and Dior” Hannah Baumgaertner

Taking this into account, users should verify whether requests such as password resets are legitimate via a different channel before engaging, she says. “Organisations should also ensure their staff are trained on the current tactics employed by adversaries, as they are constantly changing when their old methods become less effective.”

Employees are an organisation’s first line of defence, Dave McGrail, head of business consultancy at Xalient tells Assured Intelligence. “Employees must be trained to spot fraudulent emails, verify IT requests and avoid password-sharing pitfalls.”

In addition, staff need to know how to handle the public and the press, says Assured’s Harris. But he admits this can be tricky because many retailers employ people on an hour-by-hour contract.

Harris suggests negotiating with whoever is in charge of retail training or arranging for regional managers to speak to store managers to get the message across. “It’s winning the hearts and minds of whoever handles in-store training so that messages get through to colleagues in the right way.”

Adapt, overcome!

The M&S attack highlights that retailers should be focusing on cyber readiness and resilience, says Oliver Willis, a partner at law firm Broadfield.

Business continuity plans should anticipate how the loss of key systems would affect different parts of the organisation. It should also consider how any response would need to be coordinated across multiple teams, says Willis. “Response plans should also identify the external advisors and agencies who will be involved, from insurers, legal and PR teams through to the police and the Information Commissioner’s Office (ICO).”

Response and resilience are key, says Assured’s Harris. As part of this, prevention is integral, but having a “comfort blanket” of cyber insurance for attacks allows you to rely on response teams who understand your environment, Harris explains. “You will know your excess and therefore the cost of your recovery. For some retailers or suppliers living on the breadline, the insurance to pay those bills can save the business, so they can focus on getting back up and running.”

A final word

Cyber attacks such as the one on M&S are brutal, and they have huge consequences for the entire business. One person who has learnt this lesson the hard way is M&S’ CEO – who is facing a £1.06m cut to his total pay, including an impact on his bonus.

This unfortunate consequence of the attack shows how cyber is increasingly a Board issue, says Assured’s Harris. “It’s the number one risk of a business being profitable. When it hits us personally in the pocket, we pay attention.”

With this very scary thought in mind, prevention is key. That means getting the basics right, including MFA, and limiting who has access to important services. In addition, all firms must manage third-party risk, ensuring that partners uphold a level of security that can keep the business safe.