Retail Giant Marks & Spencer Suffers Major Data Breach in Ransomware Attack

DragonForce ransomware group linked to UK retail sector breach affecting over 9 million customers

Marks & Spencer (M&S), one of the UK’s most trusted retail brands, has confirmed a significant cybersecurity breach following a ransomware attack that has disrupted its operations since Easter weekend. The attack, attributed to the DragonForce ransomware group, resulted in the theft of personal information belonging to millions of customers and has caused widespread outages across its digital infrastructure.

  • M&S disclosed that threat actors accessed and exfiltrated customer names, email and home addresses, phone numbers, dates of birth, and online order histories.
  • The breach did not include usable payment card data or passwords, according to company statements.
  • As a precaution, all online users will be required to reset passwords on their next login.
  • The DragonForce ransomware group, a known Ransomware-as-a-Service (RaaS) operator, is behind the attack.
  • Attackers reportedly used social engineering techniques to gain access through IT helpdesk channels.
  • Scattered Spider (UNC3944), a notorious young hacking collective, is suspected to be involved.
  • Cybercriminals likely extracted the NTDS.dit Active Directory database, enabling them to move laterally within the network.
  • M&S’s stock price plummeted by 11%, resulting in over £1 billion in market value loss.
  • Online ordering remains suspended, with continued disruptions to in-store availability.
  • The company is working with UK authorities including the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) to investigate.

This breach underscores the increasing precision and complexity of modern ransomware attacks, especially those targeting high-value retail data. As threat actors refine their social engineering and lateral movement tactics, organizations must adopt advanced endpoint protection, zero-trust architectures, and proactive threat intelligence strategies. At Net Protector Cyber Security, we urge all businesses to reassess their incident response and data protection protocols—before they become the next headline.