Disruption at M&S has been going on for weeks, and this could be why.

Marks and Spencer (M&S) leadership believes that it may take at least another month to fully recover following a ransomware attack that it now looks likely will cost it at least £300m. It has also emerged that the incident may have begun through the systems of a third-party supplier of IT services, where tech support staff had their credentials stolen via social engineering, according to CEO Stuart Machin. The admission that the attack began via social engineering lends credence to the theory that the Scattered Spider hacking collective is indeed behind the attack. The gang has previously used similar techniques against other targets. According to Reuters, the initial target of the cyber attack may have been Tata Consulting Services (TCS), which runs the M&S IT helpdesk. Pushed by reporters on this on results day, Machin declined to state if this was accurate, and Computer Weekly understands TCS has also made no comment. Nor did Machin reveal whether or not M&S has paid off its attackers, stating advice from incident responders. He did, however, say that M&S has heavily invested in cyber tooling in the past 24 months which may have helped it spot and respond to the attack quicker. He also said M&S had not “left the door open” to its hackers. “Over the Easter bank holiday it became clear that we were facing a highly sophisticated and targeted attack,” said Machin in a prerecorded video accompanying the retailer’s latest results. “We called in several cyber experts and assembled the best support team including technology partners and notified the authorities immediately. “As a result we were able to take control of the situation very quickly and take the right actions to protect the business, our customers, our suppliers, and keep our shops empty and trading. This meant proactively taking down some of our systems which resulted in short-term disruption – but we think that was the right thing to do.” Jason Gerrard, senior director of systems engineering at cyber resilience company, Commvault, said M&S’ experience was a useful reminder to others that the ability to recover fast must be built into cyber resilience plans. “Behind the scenes, teams are scrambling to rebuild systems, trace breach origins, and restore customer data with forensic precision – all while execs are juggling regulators, insurers, auditors and shareholders,” said Gerrard. “The longer it takes to return to ‘normal’, the more that ‘normal’ drifts further away,  both in business operations and public perception. While recovery takes 24 days on average, some organisations don’t achieve business-as-usual for over 200 days. “This headline-grabbing downtime should be a warning to others that preparation for such a scenario is vital. Having a tried and tested recovery plan in place and identifying your Minimum Viable Company (MVC) ahead of time can help to reduce some of the damage that can very quickly spiral out of control,” said Gerrard. “Understanding your MVC – the essential systems needed to stay operational – is central to achieving cyber resilience and maintaining continuous business, even amidst a cyber attack. “The true power of the MVC model is not simply about responding to threats – it builds future-ready organisations that can adapt, recover, and lead.” Timeline: UK retail cyber attacks 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services. 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business. 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems. 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray. 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack. 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop. 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact. 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers. 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks. 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack. 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same Scattered Spider gang that supposedly attacked M&S and Co-op in the UK. 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack. Meanwhile, M&S says it has now moved into full recovery mode and is trying to get back on its feet. Machin said: “Customers should be able to shop in our stores as normal. Our food business is delivering stock to stores in the normal way and all customers should find much better availability and should find what they need. Stock is flowing well. “But of course, in fashion, home and beauty, online orders are still paused but our plan is to reopen online in the coming weeks. It is a complex operation so it is going to take us some time to bring up our online systems.” Looking ahead, Machin said M&S would use the cyber attack as a net positive, bringing up a previously-announced digital transformation plan and condensing a two-year plan into just six months. “This has been a challenging time,” said Machin. “[but] our business is in good shape with strong performance, strong foundations, and a solid financial footing. This has bolstered our resilience meaning we can recover at pace and regain momentum. “We will draw a line under this and move on to business as usual,” he said. Besides thanking M&S staff and suppliers for their hard work and support, and customers “who have given us so much help and encouragement”, Machin also gave thanks to his peers in the business world. “So many chief executives have called me over the past few weeks who have all gone through similar events,” said Machin. “They told me firstly this will be one of the most challenging situations you face as a CEO. Secondly they told me we need to watch out for burn-out ... in the first few weeks. And thirdly they said to me it will take longer [to recover] than you would like and you would hope for, and it could be a distraction in the short-term. “We’re only four and a half weeks into this incident. It feels like four and a half months if I’m honest,” he added.

The company also said it would take several more weeks to resolve issues relating to the attack, which came to light last month.

Marks and Spencer (M&S) has confirmed that customer data was stolen during the Easter DragonForce ransomware attack on its server infrastructure and will be prompting all online customers to reset their account passwords as a precautionary move. The attack unfolded three weeks ago and is thought to have been the work of a white-label affiliate of DragonForce – possibly the notorious Scattered Spider operation, which uses social engineering tactics to conduct its intrusions. The stolen tranche of data is understood to include contact details email addresses, postal addresses and phone numbers; personal information including names and dates of birth; and data on customer interactions with the chain, including online order histories, household information, and ‘masked’ payment card details. M&S added that customer reference numbers, but not payment information, belonging to holders of M&S credit cards or Sparks Pay cards – including former cardholders – may also have been taken. “We have written to customers today to let them know that unfortunately, some personal customer information has been taken,” said M&S chief exec Stuart Machin. “Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.” Machin added: “To give customers peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on  how to stay safe online. “Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout.” The letter to customers from customer service operations director Jayne Wall – which can be reviewed here – also includes additional standard guidance on how to stay safe online. NordVPN chief technology officer, Marijus Briedis, described M&S’ assertion that the attackers have not yet leaked or shared the stolen data was “overly optimistic” under the circumstances and warned that even if passwords or credit card details were not exposed, the data that was taken was still very useful to cyber criminals. “This type of data can be used in phishing campaigns or combined with other leaked information to commit identity theft,” explained Briedis. “Consumers often underestimate how damaging ‘harmless’ data like order history or email addresses can be in the wrong hands. These M&S hackers could use this data to build highly personalised phishing emails, designed to look identical to what the retailer would send, and these are much harder to spot. “This breach highlights how companies must not only secure financial data, but also treat seemingly less sensitive information – like customer profiles and purchase records – as  critical assets that require protection.” Max Vetter, vice president of cyber at Immersive and a former money laundering investigator with London’s Metropolitan Police, also had harsh words for M&S. “M&S saying that customers could change their passwords “for extra peace of mind” does little to reassure those worried about who has access to their personal information,” he said. “As the fallout from this attack continues, customers want clear assurances about their personal data and what M&S is doing to keep it safe from being published online. “M&S want to appear in control and telling people to be more vigilant, however, telling customers there’s no need to act risks does potentially the wrong message. We recommend all customers reset their password. Zetter reaffirmed the stolen data would be prime material for downstream social engineering and phishing attacks, especially if it is indeed in the hands of Scattered Spider who, he said, “often play a long game”. Meanwhile, disruption from the parallel DragonForce attack on Co-op continues, with the BBC today reporting that stores in the Channel Islands are experiencing particularly acute shortages and are now working with local suppliers to maintain some supplies. In other remote parts of the UK, including the Hebrides in Scotland, residents are similarly contending with disruption to deliveries. On many islands, such as whisky-making hub Islay, where Co-op stores is the only large food retailer operating, these shortages are now extending to supplier of fresh fruit and vegetables. Co-op has also confirmed that data has been stolen, including names, dates of birth and contact information, but not passwords, financial details, or any information on members’ shopping habits or other interactions with the organisation. Timeline: UK retail cyber attacks 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services. 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business. 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems. 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray. 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack. 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop. 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact. 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers. 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.

Macworld Super-weird bugs in Messages are nothing new, but this latest one is a real head-scratcher: If you try to send an audio message with the phrase “Dave and Buster’s,” it won’t work. Why would that specific phrasing cause a problem? A coding expert has cracked the case. I won’t say “and the reason will shock you,” but if you’re anything like me, you’ll find it interesting. First, let me explain what happens when the bug triggers. At first, the audio message (“I’m off to eat lunch at Dave and Buster’s,” as an example) appears to send normally. It shows up in the Messages thread to the recipient, along with a transcript of the content. No problem is flagged. It’s at the recipient’s end that we spot the issue. Initially the recipient sees the ellipsis icon, indicating that something is being typed or sent… but this carries on, and carries on, and eventually disappears. And at this point there is no indication that anything has been sent at all: no message, no message transcript, no message failed notification. In fact, if the recipient didn’t happen to have the app open, or had it open but was in a different conversation thread, they never would have known something was supposed to be on the way. This bug is new to me, and the first time I heard about it was when it was discussed on Monday in the blog run by Guilherme Rambo, a coding and engineering expert. Rambo, in turn, heard about the bug on the Search Engine podcast, which devoted its May 9 episode to the subject. Rambo reproduced the bug, guessed the problem must be at the recipient end, then plugged that device into his Mac and started looking at logs. And from that point it doesn’t appear to have taken long for him to work out what was going on: iOS’s transcription engine was recognizing the name of the U.S. restaurant chain, changing it to the correct corporate branding (“Dave & Buster’s,” with an all-important ampersand), and then passing that into the XHTML code used to send a transcript with the audio message. The problem isn’t being caused by the words Dave and Buster’s, but by the ampersand character between them, which has a special purpose in coding and prevents the code from being parsed correctly. The phrase “Dave and Buster’s” doesn’t cause a problem in the U.K. because iOS doesn’t add an ampersand (or even an apostrophe).David Price / Foundry As you can see in the image at the top of this story, a seemingly successfully sent audio iMessage ending with the phrase “Dave & Buster’s” appears as sent but never actually appears on the recipient’s phone. After a while, the audio message disappeared from the sender’s phone, and the recipient was completely unaware that the message had ever been sent. With that in mind, it’s a short leap to recognize that other brands could cause the same issue—they just haven’t been spotted doing so up to now. Rambo notes that “M&Ms” will do the same thing. For U.K. iPhone owners, in fact, “Dave and Buster’s” doesn’t trigger the bug because that chain is evidently not well enough known here and doesn’t get its ampersand added by autocorrect. To reproduce the issue, I had to ask a friend to send me a message about the supermarket chain M&S. Sure enough, this caused the hanging ellipsis followed by an unsent message. At the time of writing, it seems almost certain that any phrase iOS would recognize as containing an ampersand would cause an audio message to fail, and when I put it like that, it’s surprising the bug hasn’t been more widely reported. But here’s what happens when a U.K. user tries to send a message about the supermarket chain M&S, complete with ampersand.Karen Haslam / Foundry On the plus side, one would imagine it’s a bug that should be easy to patch in an iOS update. The transcription feature in Messages simply needs to be told to “escape” special characters so they don’t mess up the parsing process. And as Rambo notes, this isn’t a bug with any security vulnerabilities; indeed, it shows Apple’s BlastDoor mechanism working correctly. “Many bad parsers would probably accept the incorrectly-formatted XHTML,” he writes, “but that sort of leniency when parsing data formats is often what ends up causing security issues. By being pedantic about the formatting, BlastDoor is protecting the recipient from an exploit that would abuse that type of issue.”