Skip to content

M&S confirms April cyberattack was ransomware

  • by
  • 2 min read

Following an April cyber attack that forced retail giant Marks & Spencer to take some of its systems offline and temporarily halt operations, chairman Archie Norman has now confirmed that the attack was indeed ransomware related. Archie refused to say whether a ransom was paid to protect the leaked data.

The company had previously confirmed that threat actors stole some customer personal data, without specifying the number of customers affected or the type of data taken. Later, a customer update page on the company’s website confirmed that the stolen information includes names, birthdays, phone numbers, email addresses, home addresses, household information, and online order histories.

The confirmation came when Norman was presenting oral evidence to a business and trade subcommittee on economic security, arms and export controls committee hearing at the British Parliament on July 8. Norman confirmed that the hackers gained access to M&S systems through a sophisticated social engineering attack involving a third party.

Illustration: jmiks | shutterstock
Illustration: JMiks | Shutterstock

He added that the attack has been linked with the Scattered Spider hacking group and was run via DragonForce ransomware infrastructure. When asked about whether the company paid a ransom to free stolen data, Norman avoided a clear answer, instead claiming that making such a payment would be a “business decision.”

Norman was clear during the hearing that he is “not in a position to discuss the nature of the interaction with the threat actor.” The company also wasn’t contacted by the hackers until around a week after the breach. M&S decided not to deal with the attackers directly, instead relying on their cybersecurity professionals to deal with the negotiations.

The attack had initially forced the company to take down some of its systems and services briefly. M&S isn’t the only UK retailer facing cybersecurity issues either. Another popular retail chain, Co-op, also suffered a similar cyberattack in April 2025, forcing the company to take down parts of its IT systems as a preventive measure.

In the News: Novel North Korean macOS malware found targeting Web3, crypto platforms

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>