This is not just a hack

This is an M&S ransomware attack

May 03, 2025

∙ Paid

Sorry I just couldn’t resist the title.

If you are a criminal hacker, there are lots of reasons why large retail stores like M&S are good targets.

They have rich customer data – payment info, loyalty programme details, personal information. That can all be sold on via a dark net marketplace and re-purposed for other criminal uses. (A good example of how this works in practical terms is Shiseido’s 2022 data-breach. Sensitive personal information of hundreds of current and previous employees was stolen, sold, and used to commit bank fraud, extortion, and the creation of hundreds of fake companies in victims’ names for the purpose of money laundering). Large retailers also rely on huge IT systems – which, when disrupted, cause untold financial damage. And they also have lengthy supply chains (for example, they might outsource payroll to a third party party). If the third party is breached, it causes the main target problems too.

For a hacker collective like Scattered Spider (the current perpetrator front runner) it was an obvious target. From what we know, they got into the system somehow, encrypted files and programmes, and are probably now demanding huge sums to unlock it.

Meanwhile the poor souls in the cyber-security team will be having the worst week of their lives, desperately trying to work out what happened and safely restore the system. (I assume they have back up systems - but they take time to re-install).

A ‘classic’ ransomware attack.

This has cost the firm millions already, and is still not fully revolved.

Like most hacker groups, Scattered Spider is a loose network of affiliated criminal hackers. Some reports reckon it consists of 1,000 people, nearly all under 22 and based in the US and the UK. It often surprises people that these whizz kid hackers are so young. It really shouldn’t. Most crime is committed by young men, after all. And this cohort (the UK part at least) all benefitted from the decision in 2014 to introduce computer coding into the national curriculum. Yay!

No-one has claimed responsibility, and we still don’t know if the same group was behind the subsequent effort to hack the Co-op or Harrods. (As I was drafting this article, the BBC published an article saying a different group - called DragonForce - was claiming to have hacked the Co-op and M&S.)

But whoever did this, there are three big lessons to take from these attacks. (Plus one piece of advice about paying ransomware.)

Keep reading with a 7-day free trial

Subscribe to How to Survive the Internet to keep reading this post and get 7 days of free access to the full post archives.