The recent breach at Marks & Spencer (M&S) went undetected for up to 52 hours, a lapse insiders have called a “colossal mistake” caused by human error.
The attackers infiltrated M&S’s IT systems through a contractor and were then able to lurk undetected in the systems for more than two days before the alarm was sounded.
Once discovered, emergency teams worked relentlessly over a five-day period to contain the attack and protect the retailer, which serves around 9.4 million active customers.
Despite these efforts, the online shop remains offline weeks after the incident, and staff have been working around the clock to restore normal operations. While in-store stock availability has largely recovered, the website may take several more weeks to fully resume service.
The company confirmed that criminals accessed some customer data, including contact details, dates of birth, and online order histories.
No Usable Payment Data Exposed
However, M&S emphasized that only “masked” payment card data (such as the last four digits) was taken, and no usable card or payment information was compromised. Even so, some customers have reported a surge in scam messages and emails impersonating M&S, prompting the company to urge vigilance and remind customers never to share personal or account information with unsolicited contacts.
Cybersecurity experts warn that, although stolen data has not yet appeared on leak sites, it could still be exploited. The attack’s sophistication and the use of DragonForce software point to the Scattered Spider group, known for targeting large organizations in the UK and US.
The timing of the breach is particularly damaging, coming just before M&S’s annual financial results announcement.
Last year, the retailer posted profits of £840 million, but analysts warn that 2025 may be remembered as one of its worst years. The Information Commissioner’s Office and the National Crime Agency are investigating the incident, along with a similar breach at competitor Co-op.
While the attack has been described as “embarrassing,” and “disappointing,” and has had significant financial repercussions, experts believe M&S will ultimately recover, though questions remain about its preparedness and response.
“Not a Terrible Detection Timeframe”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says: “While 52 hours might seem concerning, it’s actually not a terrible detection timeframe compared to industry averages. Many organisations struggle with third-party security management, as contractors often don’t receive the same level of security training or awareness as permanent staff. These external parties may not fully understand the security controls they need to implement, creating inevitable vulnerabilities that sophisticated threat actors are quick to exploit.”
Perhaps more concerning, says Malik, is the aftermath impacting M&S customers. “With potentially millions of customers affected, we’re witnessing the predictable wave of opportunistic scammers launching phishing campaigns impersonating M&S. This secondary attack vector often causes more widespread harm than the initial breach.”
Customers need to exercise proper caution right now, he advises. “Remember that legitimate organisations will never ask for passwords or personal account information via email, text, or phone. Even if communications appear to come from M&S, verify through official channels before providing any information or clicking any links. The significant increase in scam messages reported by customers is typical following major breaches as criminals capitalise on the confusion and anxiety.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.