M&S reveals DragonForce ties in devastating cyber attack
- Marks & Spencer's cyber attack occurred in late April 2025, leading to substantial operational disruptions.
- The hacking group Scattered Spider and a ransomware operation named DragonForce are believed to be involved.
- The retailer anticipates a £300 million loss but expects recovery through cost management and insurance measures.
In late April 2025, Marks & Spencer experienced a severe cyber attack that left the retailer unable to take online orders for over six weeks. The attack was reportedly instigated by a hacking group known as Scattered Spider, coupled with a ransomware operation called DragonForce, which is believed to involve former computer gamers operating from Asia. Marks & Spencer's chairman, Archie Norman, speaking before the Business and Trade select committee, described the event as 'traumatic', sharing that it was an unprecedented experience for him and the entire company. The fallout from the attack was significant, with Marks & Spencer estimating a financial impact of around £300 million in lost profits. Despite this considerable setback, the company expects to recover approximately half of this amount through effective cost management, insurance, and other mitigation strategies. Norman elaborated on the struggles the team faced in the aftermath of the hack, stating that members of the cyber team were working intensely, often with very little sleep, to restore operations and address the damages. Moreover, Norman emphasized the complexity of the attack, noting that the hackers communicate indirectly and do not usually reveal their identity. He validated that while Scattered Spider initiated the breach, DragonForce played an active role in the ransomware aspect. To safeguard the company’s interests, Marks & Spencer decided not to negotiate directly with the hackers, opting instead to leave the response to cybersecurity professionals. While he did not confirm whether Marks & Spencer paid a ransom, Norman discussed the tough decisions businesses face when confronted with such demands. He illustrated the dilemma, highlighting factors like data exfiltration and the inherent risks in trying to regain control of compromised systems. The incident has sparked discussions about cybersecurity within corporations and the importance of being resilient in the face of increasing cyber threats.