In April 2025, Marks & Spencer was hit by a highly sophisticated ransomware attack. This wasn’t a simple virus or a careless click, it was a coordinated campaign conducted by a cybercriminal syndicate known as DragonForce, linked with the notorious Scattered Spider group.
The result?
- Over seven weeks of disruption,
- A £300 million impact on M&S’s profits,
- And a clear warning for every other UK business: Even the best-known brands with serious IT budgets aren’t immune.
If your business relies on customer data, online services, or critical IT infrastructure, you need to take this seriously.
What Actually Happened, In Plain English
1. They talked their way in
The attackers tricked an external IT helpdesk into resetting credentials for high-privilege accounts bypassing multi-factor authentication. This tactic is known as vishing (voice phishing).
Key takeaway: Strong systems can be undone by human error. Training and process matter as much as firewalls.
2. They quietly explored the network
Once inside, the hackers:
- Stole the password database from M&S’s identity system (Active Directory),
- Used legitimate IT tools (like PowerShell and RDP) to move around unnoticed,
- Avoided detection by not installing malware right away.
Key takeaway: This was a “living off the land” attack, no obvious malware, just built-in tools. You need behavioural monitoring, not just antivirus.
3. They took control of the core infrastructure
They targeted VMware ESXi servers the foundation for many M&S business systems. By encrypting these, they effectively shut down:
- Online shopping,
- Click & Collect,
- In-store payments,
- Warehouse and logistics platforms.
Key takeaway: Taking out the virtual infrastructure is like cutting power to a whole office building. This wasn't just a breach, it was a business outage.
4. They stole data AND locked systems
The attack was double extortion:
- First, steal customer data (names, contact details, DOBs),
- Then, encrypt systems and demand a ransom,
- Threaten to leak the data if M&S didn’t pay.
M&S refused to pay and chose to recover on their own. It took 46 days to get the website back up and it was still being reported as not fully “back to normal” months later.
Why This Matters for SMEs
You might think: “We're not M&S, no one’s coming for us.” But here’s the truth:
- SMEs are easier to breach: fewer security layers, limited monitoring, weaker controls.
- Ransomware gangs are automating their method: they can hit hundreds of companies at once.
- Even indirect access (via suppliers or IT partners) can put you at risk.
What’s the Solution? A Managed Security Operations Centre (SOC)
A Managed SOC gives your business access to the kind of 24/7 protection M&S needed, without hiring a full-time security team.
|
SOC Capability |
What It Does for You |
|
24/7 Monitoring |
Detects unusual logins, admin activity, and risky behaviour; even without malware present. |
|
Rapid Response |
If something’s wrong, systems are isolated and contained fast; before ransomware spreads. |
|
Expert Analysis |
SOC analysts investigate incidents, not just alert you; they provide answers, not just alarms. |
|
Reporting & Compliance |
Clear dashboards and reports for the boardroom or regulators. No jargon, just clarity. |
What Should You Do Right Now?
For IT & Technology Leaders:
For Business Leaders and Executives:
Final Word
The attack on M&S was professional, patient, and brutal. It bypassed traditional defences and crippled critical operations. It cost them £300 million and weeks of business and they’re one of the best-resourced retailers in the UK.
For SMEs, the threat is even more real.
The good news? You don’t need to solve this alone. We offer a Managed SOC designed for growing businesses:
- Affordable, scalable, and built to match the threats of today.
- Backed by UK-based analysts and enterprise-grade technology.
- Gives you peace of mind and a clear path to cyber resilience.
Get in touch today to see how our Managed SOC can help your business stay secure, compliant, and in control.