Cocaine vs cyber hack – why M&S was hit
by Harley Morlet
1./ M&S vs a ransomware gang.
In April 2025, British retail icon Marks & Spencer was hit by a major cyber attack that brought parts of its business to a standstill. It turned out to be a ransomware attack – malicious software that locks up a company's files until a ransom is paid. On April 25th, M&S abruptly stopped taking clothing and home orders through its website and app. Customers saw messages that online orders were "paused," and many in-store services were disrupted too. Some shops couldn't process contactless payments or gift cards, causing real inconvenience at the tills. One employee said, "It's easier to list the things that work than the things that don't.".
The disruption lasted far beyond a brief hiccup. M&S's online ordering stayed offline for over a week, with no clear word on when normal service would resume. Even weeks later, customers are still unable to place new orders. This downtime was not only frustrating for shoppers - it was extremely costly for the company. M&S usually does around £3.8 million in online sales per day, so each day of outage meant millions in lost revenue. The uncertainty also rattled investors, knocking an estimated £500 million off M&S's stock market value in the days following the attack.
Who was behind this brazen attack? Investigators believe it was the work of a hacking collective affiliate known as "Scattered Spider," deploying a ransomware strain called DragonForce. This group had reportedly infiltrated M&S's systems as early as February, lurking inside the network. When they struck over Easter, the impact was widespread. And M&S wasn't the only target: around the same time, the Co-op grocery chain was also hit, and hackers claimed to have stolen data on 20 million Co-op customers. There was even an attempted breach at Harrods, the famous London department store.
/2. Why cybercrime is so lucrative (and low-risk).
Why do these attacks keep happening? Quite simply because cybercrime pays - and criminals rarely pay the price. Hackers aren't just mischievous kids; they're organised gangs in it for the money, and there is a lot of money to be made. A successful ransomware attack could net around $140,000 for the criminals, with a very low cost and minimal risk of conviction. Many have equated cybercrime to drug trafficking; it's a shady business, but with a far greater profit-to-risk ratio.
And risk is the key part. In the physical world of crime, drug lords and bank robbers have police chasing them down. But in cyberspace, hackers often operate from countries where they're safe from extradition, and they cover their tracks carefully. The result: getting caught is highly unlikely.
The statistics in the UK bear this out. According to a 2019 report, about 17,600 computer hacking incidents were reported to UK authorities – guess how many led to prosecutions? Just 57 cases. That's less than 1%. Imagine if only 1% of bank robberies led to anyone being charged - we'd have a lot more bank robbers! This near-immunity emboldens hackers. They know that as long as they cover their tracks and perhaps operate from a jurisdiction that turns a blind eye, the chances of them facing consequences are slim to none.
Combining massive profits with minimal fear of arrest creates a huge incentive for criminals to jump into cybercrime. From the hacker's perspective, it's a gold rush where they get rich and seldom get caught. That's a dangerous combination for the rest of us.
/3. Inside the cybercrime ecosystem: Malware, Ransomware & the "services" of the underworld.
Another reason attacks like the M&S hack are so prevalent is that cybercrime has become an ecosystem – a whole underground economy with different players specialising in each step of the crime. It's not just lone wolves; it's more like an illicit industry. There are developers, middlemen, and even customer service (for negotiating ransoms) in this shadowy world. Let's peel back the curtain a bit.
Malware-as-a-Service (MaaS): Believe it or not, if a would-be criminal doesn't know how to write malicious code, they can simply rent it. On dark web forums, there are offerings for malware on a subscription basis. A prime example is Raccoon Stealer – a piece of malware that, when installed, steals passwords, credit card numbers, and other personal data from victims' computers.
Attackers hide this malware in innocent-looking files, such as spreadsheets and send them to unsuspecting victims. All it takes is for the victim to click on the wrong button.
Since 2019, Raccoon has been sold openly as a service to cybercriminals. The going rate? Around $200 per month for a subscription. For that fee, anyone with basic computer skills can obtain a ready-made malware tool and start harvesting people's login details and financial info.
Ransomware-as-a-Service (RaaS): The M&S attack itself was likely enabled by a RaaS model. The group behind DragonForce ransomware (i.e. the suspected ransomware used against M&S) doesn't necessarily carry out every attack itself; instead, they operate an affiliate program.
The ransomware creators let other criminals (affiliates) use their ransomware toolkit and payment portal to extort victims, in exchange for a cut of the profits. So a hacker (or group like the suspected group behind the M&S hack, Scattered Spider) can focus on breaking into a target network, then almost "outsource" the job of encrypting files and handling the ransom demand to the RaaS provider. This model has greatly expanded the reach of ransomware; it's like a franchising scheme for cyber extortion. It means even relatively less-skilled hackers can inflict serious damage by teaming up with professional ransomware developers.
Crypto laundering: Finally, there's the matter of getting paid. Almost all ransomware demands payment in cryptocurrency - typically Bitcoin. Cryptocurrency is the getaway vehicle of choice because it's digital cash that can be hard to trace. After an attack, victims are usually told to send a Bitcoin payment to a hacker's untraceable wallet address. Once the hackers receive it, they run it through mixers, tumblers, and other laundering techniques to hide the origin of the illicit money from the channels used to withdraw hard cash, i.e., cryptocurrency exchanges. This is the modern equivalent of money laundering – turning "dirty" crypto into seemingly legitimate funds.
The result is that hackers can safely and instantly reap their profits anywhere in the world. The anonymity of cryptocurrency is a key enabler of the entire cybercrime economy.
When you put it all together, it's a sobering picture: a full-fledged cybercrime ecosystem exists, with services for hire and profit-sharing schemes. A criminal doesn't have to do it all – they can pick a speciality (be it writing malware, stealing initial logins, or running ransom negotiations) and partner with others. It's crime-as-a-business. Unfortunately, this means the threat is more pervasive than ever because the ecosystem continually lowers the skill and effort required to launch attacks.
/4. Neglected defences: How businesses (like M&S) leave the door open.
With gangs of hackers so organised and motivated, one would hope that companies are equally prepared to defend themselves. But in case after case, we see that many organisations aren't ready. Prevention is often lax, and incident response plans are dusty or untested. In our experience, many businesses treat cybersecurity as a tick-box exercise ("Do we have antivirus? Yes. Firewall? Yes. Okay, we're fine…") rather than a living, breathing part of their culture. That mindset can be disastrous, as M&S and others learned the hard way.
M&S's breach wasn't just a minor IT blip - it was a deep compromise of their core infrastructure. According to reports, the attackers managed to steal M&S's Active Directory database - essentially the master directory that stores the entire company's usernames, passwords, and permissions. It's like the keys to the digital kingdom. With those credentials in hand, the hackers could impersonate admins and move freely through systems. They likely disabled security tools and backdoors to ensure their ransomware would have maximum impact when launched. This is why the attackers were able to encrypt so many systems at once: they had patiently gained domain administrator privileges and knew precisely how to cripple the company from the inside.
When the hammer fell, M&S's IT team faced a nightmare scenario. Critical servers were locked up by ransomware, and even tools needed to coordinate the recovery were affected. There were circular dependencies – for example, if your system for restoring backups is itself down or encrypted, how do you restore everything else? It's like needing a key that's locked inside the box you're trying to open. Many businesses don't realise these single points of failure until it's too late. We don't have all the internal details on M&S's remediation, but the fact that online operations were still down weeks later tells us they essentially had to rebuild or restore many systems from scratch. It's very likely that the attackers targeted or wiped out some of the backups (a common ransomware tactic) or that backups weren't readily available offline.
There's also the human element. In M&S's case, the breach reportedly began with social engineering - the hackers impersonated an M&S tech support person and convinced the real IT service desk to reset a password, letting them slip inside. This exploit of a help desk's trust is not a high-tech hack, it's a con job. And it worked. Why? Possibly because the employees weren't trained to spot such tricks, or there wasn't a strict process to verify identities for password resets. Many organisations spend millions on security technology but neglect training their staff on these schemes. Security is only as strong as the weakest link, and often that link is a person under pressure who wants to be helpful.
(Full disclosure: I work in cyber incident response for STORM Guidance, a firm that assists organisations during breaches. So I've seen first-hand how often these scenarios unfold.) In case after case, I've observed companies learning only through painful experience that cybersecurity needs attention at the leadership and culture level, not just in the IT department. It's not enough to have a policy in a binder or to assume the "IT guys" will handle it.
The bottom line is that many breaches succeed not because hackers find unheard-of technical flaws but because organisations leave the door cracked open. Maybe an unpatched server, an easy-to-guess password, an untrained employee, or an assumed offline backup that wasn't actually working. Many of these attacks are not sophisticated, and there's a saying in cybersecurity: "Hope is not a strategy." Hoping you won't be targeted is not enough - you need a plan.
/5. Your data on the line: How breaches fuel scams.
So, what does all this mean for you as an individual? We've talked about the company side of things, but there's a personal angle that's just as important. When companies like M&S get breached, it's our data that ends up in the hands of criminals. And that can lead to a cascade of fraud attempts against regular people.
In the case of M&S, the hackers didn't just disrupt orders – they also stole customer information. This included personal details like names, email addresses, phone numbers, home addresses, dates of birth and purchase history.
Nowadays, data breaches big and small happen all the time, and criminals compile the stolen data like puzzle pieces. Your info from one breach can be combined with another to build a pretty detailed profile. Scammers thrive on these details. If they know, for example, your name and that you've shopped at M&S, they might send you a compelling email pretending to be from M&S's customer service. It could say something like, "Dear Jane, We're sorry your recent M&S order was delayed due to our systems outage. Please click here to claim a 20% refund."
Criminals often create "virtual profiles" of potential victims using leaked personal data. This can include not just your contact info, but also things like your interests, employer, or bank - all gleaned from past hacks or even public social media. With a profile in hand, a scammer can target you with what's called spear phishing: highly personalised scam messages that seem like they're from a trusted source. If they know you bank with Barclays, you might get a fake Barclays alert. If they know you're a member of a particular pension fund, you might get a call posing as that fund.
The best defence for protecting yourself is awareness. Know that any unexpected message or call could be a wolf in sheep's clothing, even if it has some correct info about you. Treat your personal data as compromised, not in a paranoid way, but in a realistic way - assume that determined fraudsters might already know things like your email, phone number, or where you shop.
/6. Fighting back: Turning the tables.
Last week, a director within our sister firm, Master Adviser (https://www.masteradviser.co.uk/), followed up with a scammer targeting one of our clients. The fraudster was impersonating him - using his name and a similar-looking email address (Jim Harrison at masteradvisers.co.uk, as opposed to the real masteradviser.co.uk) –to deceive people into a fake investment. Essentially, this criminal was contacting this client and saying, "Hi, it's me, Jim, I have a great portfolio opportunity for you…" in an attempt to steal money.
Jim decided to play offence instead of shrugging it off or merely reporting it. Taking inspiration from the classic comedy show Police Squad! (where the good guys often trick the bad guys in humorous ways), He set up a little sting of his own. He engaged with the fraudster, feigning interest, essentially stringing the scammer along for as long as possible. The scam fell apart, no money was lost, and the humorous exchange was written up here on www.thisismoney.co.uk.
/7. Three simple steps to protect yourself from fraud.
By now, you might be thinking: "This all sounds scary – what can I do about it?" The good news is, you don't need to be a tech expert. A few very straightforward steps can drastically improve your safety online. These are things anyone can do, and they're especially worth sharing with friends and family who may not be aware of them.
1. Turn on two-factor authentication (2FA) wherever you can.
A strong password is important, but it's no longer enough on its own. These days, many scams and data breaches involve stolen or guessed passwords. Two-factor authentication (2FA) adds a second layer of protection - even if a hacker knows your password, they still can't get in without a code sent to your phone or generated by an app. It's like adding a second lock to your front door.
Most banks, email providers, and shopping sites offer 2FA - you'll find it in the security settings. It might feel like an extra step at first, but it's a small effort that can stop most attacks in their tracks. Think of it as a safety net: if your password ever gets leaked or guessed, 2FA allows you to slam the door shut before damage is done.
2. Don't trust messages asking you to act urgently - especially about money.
One of the biggest red flags of a scam is a sense of urgency or panic. Fraudsters want you to react emotionally, without thinking. If you get a phone call, email, or text saying, "Your account will be closed immediately unless you do X" or "URGENT: Pay this now to avoid legal action," take a deep breath. Legitimate institutions (banks, HMRC, utilities, etc.) typically do not force you to make on-the-spot decisions under threat. Urgency is a tactic to bypass your rational brain.
3. If in doubt, verify through a different channel.
This is a golden rule. If you receive any communication that makes you suspicious or asks for sensitive information, always verify it independently.
- For example, if you get an email that seems to be from your bank about an "urgent issue," don't click any links in that email. Instead, call the number on the back of your bank card or go to the bank's website by typing the address yourself. If you get a text claiming to be from Royal Mail about a missed delivery with a link, don't click; instead, go to the official Royal Mail site or app to check. If someone claims to be from "the fraud department" of a company, it's perfectly okay to hang up and call the company's official customer service line to ask if there's an issue. This "out-of-band verification" might take a few extra minutes, but it can save you from ever falling for a hoax. Scammers rely on catching you in the moment; by switching channels, you cut off their control of the narrative. Nine times out of ten, you'll quickly discover the urgent problem was fake. And if it is real, you'll have lost nothing by double-checking.
Staying safe from cybercrime doesn't require paranoia – just a bit of knowledge and a healthy dose of scepticism. Remember that you're in control: you have the power to pause, think, and verify before doing anything an unsolicited message tells you to do. By taking these simple precautions, you can continue to enjoy the benefits of the internet with much greater peace of mind. Stay safe out there!
About the author
Harley Morlet is a cybersecurity professional and director at STORM Guidance, specialising in cyber risk management and incident response within the insurance sector. He also leads project development for Chancery Lane.