Recent Breaches
Breaches
View All →
Back to Knowledge Vault
Offline Security20 October 20254 min read

Marks & Spencer: The £300m Cyber Lesson

A ransomware attack on M&S paused online orders from late April into July, hit profits by an estimated £300 million and exposed customer data. The root cause is a familiar one: too much critical data left connected.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share

In late April 2025, Marks & Spencer paused online orders after a ransomware attack tore through its systems. By early June the retailer was only cautiously restarting a limited fashion range for home delivery in England, Wales and Scotland, with click-and-collect still offline and delivery windows stretched to ten days. M&S has said it will be July before operations are fully back to normal.

The company estimates the incident will reduce this year's profits by around £300 million, equivalent to a roughly 30 per cent hit, some of which it hopes to recover through insurance.

What Happened

M&S confirmed the incident as a ransomware attack. The BBC has reported that detectives are focusing on Scattered Spider, a group of English-speaking teenagers and young adults, using an affiliate service called DragonForce to run the extortion. The same criminals told the BBC they were also behind the Co-op ransomware attack and the attempted hack of Harrods.

CEO Stuart Machin confirmed the attackers got in via social engineering through a third party with access to M&S systems. The BBC has seen a gloating email sent to Machin apparently from the account of an employee at Tata Consultancy Services, which has provided IT services to M&S for over a decade.

The Cost, in Numbers

  • ~£300m estimated hit to this year's operating profit, before insurance recovery.
  • ~£3.8m of clothing and home is spent on the M&S website and apps every day on average.
  • From late April to July of disruption to online orders, with click-and-collect offline for much of that window.
  • Customer data stolen: names, home addresses, phone numbers, email addresses, dates of birth and online order history. No usable payment or card details, and no account passwords.
  • Share price fall since the attack, alongside supplier disruption reaching Greencore (which resorted to pen and paper) and small brands such as Nails Inc.

Source: What can I buy online at M&S since the hack? — BBC News

Why Firewalls Were Not Enough

M&S is a FTSE 100 retailer with mature IT and significant investment in cyber programmes. The incident did not happen because defensive tooling was absent. It happened because a valid login, obtained by impersonating IT support through a trusted third party, gave attackers the run of a connected estate. The National Cyber Security Centre has warned that criminals attacking UK retailers are actively impersonating help desks to break in.

Once inside, the difference between reading a shared drive and encrypting production systems is measured in hours, not weeks.

What Physical Disconnection Would Have Changed

Firevault does not claim it could have stopped the initial credential compromise. What it changes is what happens next.

  • Customer records held in offline Storage cannot be exfiltrated by an intruder on the corporate network. There is no route to reach them.
  • Immutable, physically disconnected backups cannot be encrypted or deleted by ransomware. Restore times drop from weeks to days.
  • Governed access windows mean bulk reads of historical data raise flags long before an attacker can complete an extraction.

The connected estate can still be attacked. The question is what the attacker actually finds when they get there.

Lessons for Every Retailer

  • Assume credentials will be compromised, including those of trusted third parties. Design the environment so that a single account cannot reach every system of record.
  • Treat customer data as an asset to be protected, not a resource to be perpetually available. Not every historical record needs to sit on always-on infrastructure.
  • Rehearse recovery from a genuinely offline copy. If your backups sit on the same fabric as production, they are hostages in waiting.

Conclusion

The £300 million figure will be studied in boardrooms for years. The more useful takeaway is architectural: connected systems will keep being breached, and defence-in-depth alone will not change that arithmetic. The organisations that recover fastest are those that already decided which data does not belong online in the first place.

Firevault exists to make that decision practical. Explore Vault for board-level records, or Storage for customer and operational data at scale.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Offline Security20 October 20254 min read

Marks & Spencer: The £300m Cyber Lesson

A ransomware attack on M&S paused online orders from late April into July, hit profits by an estimated £300 million and exposed customer data. The root cause is a familiar one: too much critical data left connected.

Mark Fermor
Published by Mark Fermor, Director & Co-Founder

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®