Marks & Spencer Cyberattack: DragonForce Confirmed as Culprit Behind Major Breach

Marks & Spencer (M&S) has confirmed that the hacker group “DragonForce” was responsible for a cyberattack that severely disrupted its operations for six weeks. The attack, which began on April 19, affected the retailer’s automated warehouse in Castle Donington, resulting in significant disruptions to its online shopping services. Chairman Archie Norman disclosed the details to UK lawmakers, noting the attack’s crippling impact on the company’s logistics and customer services.

The breach, which occurred in April and May, forced M&S to halt its click-and-collect services across the UK and led to the theft of customer information. Initially, “Scattered Spider,” a notorious cybercriminal group, was suspected of the attack. However, it has now been confirmed that DragonForce, known for creating ransomware that locks victims’ files, was behind the breach.

Timeline of the Cyberattack

The attack began on Saturday, April 19, when customers reported issues with contactless payments and click-and-collect services. On April 21, M&S publicly acknowledged the cyber incident, apologizing for the inconvenience and engaging cybersecurity experts. The company also notified the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).

Despite efforts to restore systems, disruptions persisted, leading M&S to suspend online and app orders on April 24. This decision resulted in a 5% drop in the company’s share price. By May 13, M&S confirmed that some customer information had been stolen, and on May 21, the retailer announced that disruptions were expected to continue through July.

Impact and Response

The cyberattack had a noticeable impact on M&S’s operations and customer experience. Shoppers reported empty shelves in some stores, with staple items such as bananas, fish, and the iconic Colin the Caterpillar cakes hard to find. The attack forced M&S to make operational adjustments, including reducing standard home delivery wait times from 10 days to five for customers in England, Scotland, and Wales.

By June 10, M&S began taking online orders again for home delivery, and on June 24, it reintroduced a selection of third-party brands to its website, including Adidas, Columbia, and Lilybod. However, click-and-collect and next-day delivery services remained unavailable, with the company working to restore them as soon as possible.

Cybersecurity Measures and Future Prevention

In response to the attack, M&S is strengthening its cybersecurity measures to prevent future breaches. The company is collaborating with cybersecurity experts to enhance its defenses and ensure the protection of customer data. This incident highlights the growing threat of cyberattacks on major retailers and the importance of robust cybersecurity protocols.

Cyberattacks, such as this one, are deliberate attempts to disrupt, damage, or gain unauthorized access to computer systems and networks. They can target individuals, businesses, or governments, with motives ranging from financial gain to political disruption. Common types of cyberattacks include malware, phishing, denial-of-service attacks, SQL injection, ransomware, and social engineering.

Looking Ahead

The attack on M&S underscores the vulnerabilities that even large, established companies face in the digital age. As the retailer continues to recover, it serves as a reminder of the critical need for businesses to invest in cybersecurity measures to safeguard their operations and customer data.

As M&S works to fully recover from the disruption, the company is committed to restoring all services and reinforcing its cybersecurity infrastructure. The retailer’s experience serves as a cautionary tale for other businesses, emphasizing the importance of being prepared for potential cyber threats.