In April 2025, Marks & Spencer (M&S), one of the UK’s most trusted retailers, disclosed that names and contact details of over 900 employees had been exposed in a data breach. The attack was attributed to the Scattered Spider ransomware group, also known as Octo Tempest, a threat actor known for social engineering tactics and access to sophisticated toolkits. The hacker group used DragonForce, a ransomware strain that exfiltrates sensitive data to pressure victims into paying. DragonForce also deletes shadow copies, disables antivirus tools, and can be customized to evade detection and maximize disruption.
How M&S’s Cybersecurity Defenses Failed
According to reporting from The Times, cybercriminals gained access by calling the IT help desk and persuading staff to reset passwords for internal accounts. This tactic, known as voice phishing or “vishing,” exploits human trust rather than technical vulnerabilities. Once inside, the attackers likely escalated privileges and deployed ransomware to disrupt operations and extract sensitive data. DragonForce ransomware caused significant disruption across M&S’s operations, including order processing delays. While over 900 employee names and contact details were confirmed exposed, the company has not disclosed whether other types of internal data were accessed or stolen. The disruption was serious enough to warrant a public disclosure and impact investor confidence.
The breach exposed how heavily M&S depended on single-factor identity checks, which are easily bypassed when attackers sound confident and know the right jargon. Staff accepted a voice call as proof of identity, with no secondary verification through mobile code, callback, or separate ticket. This left the help desk vulnerable to even basic social engineering. The fact that no alerts were triggered during or after the intrusion suggests the company wasn’t logging support interactions or reviewing privilege escalations. These failures reflect a deeper issue: too much trust in human judgment without supporting safeguards or oversight.
This type of failure underscores the need for hardened identity workflows, cross-channel verification for sensitive actions, and mandatory escalation policies for high-risk support tasks.
Consequences of the Hack
The cyberattack on M&S caused cascading consequences across its financial, operational, and reputational landscape. The most immediate impact was a loss of market value. According to reporting from The Times, nearly £715 million ($950 million) in share value was wiped out in the days following the breach. Based on industry analysis reported in The Guardian, the company likely incurred significant daily revenue losses during the shutdown, and sources close to the company say the total financial toll may reduce annual profits by tens of millions.
Beyond revenue loss, the operational disruption was extensive. Customers faced broken checkout systems, inaccessible online portals, and failed click-and-collect services, which allow customers to buy items online and pick them up in person. These service interruptions drew public criticism and strained customer trust. Online sales were the gaurd for nearly a week, and the company reported delays and outages in contactless payments, order processing, and availability of food items in certain retail locations. The breach also froze hiring activity and exposed gaps in the company’s IT support functions.
From a regulatory perspective, M&S is under review by the UK’s Information Commissioner’s Office. If investigators determine that the company failed to uphold adequate security controls under GDPR, they could impose a maximum fine of €20 million or 4% of annual global turnover, whichever is greater. In parallel, the National Cyber Security Centre is assessing the broader implications of this incident.
The reputational damage may take longer to surface but could be just as severe. When a company known for trust experiences a prolonged outage and data exposure, the loss of public confidence becomes hard to recover from.
Lessons for Corporate Cybersecurity Teams
The M&S breach shows how attackers use psychological tactics rather than technical flaws. Companies need to strengthen their help desk procedures so that password resets cannot be completed based on a single interaction. A second channel, such as email or ticketing, should be required before access is granted. All support sessions involving credential recovery should be logged and subject to review.
Staff who handle these tasks need regular training that includes simulations of real-world scams. If an employee is fooled during a simulation, that should trigger immediate retraining. The goal is not just awareness but fast, automatic recognition of manipulation tactics during live calls.
Companies should apply phishing-resistant authentication across every system. Time-based tokens, biometric login, or hardware keys must replace text message codes, which are easy to intercept. Help desk identity verification should require proof of identity beyond a single channel, such as identity-proofing tools or callback verification. For privileged roles, access should follow Just-In-Time provisioning with automatic expiration unless renewed.
Security teams should evaluate every connected tool or data platform for policy enforcement, logging, and authentication gaps. If a tool has no monitoring or consistent access controls, it should be considered a risk. These systems should be prioritized for remediation and included in ongoing audits.
Closing Thoughts
The M&S breach underscores the growing danger of social engineering, where attackers exploit trust instead of software flaws. The incident began with a convincing phone call, not a technical exploit. This kind of manipulation works when companies rely on single-factor authentication like voice confirmation or help desk knowledge alone. Organizations must treat these vulnerabilities as critical and design workflows that assume attackers will try to deceive staff. Password resets should never be completed through a single channel, and support sessions involving credential recovery must be logged and reviewed.
ALTR’s platform helps organizations enforce access policies and monitor for risky behavior across systems like Snowflake. These controls complement employee-facing defenses such as multi-channel identity verification, help desk monitoring, and staff retraining protocols, which must now be treated as core components of cyber resilience.
