British retailer Marks & Spencer (M&S) has confirmed a significant cyberattack that exposed customer data and disrupted its operations. With millions affected, here’s what we know about the breach, who might be behind it, and how to stay safe.
What Type of Data Was Stolen?
M&S reports that attackers accessed:
- Full names, email addresses, phone numbers, and home addresses.
- Dates of birth.
- Online order history and household details.
- Customer reference numbers (M&S credit card / Sparks Pay).
- Masked payment card details (not full or usable payment info).
No passwords or full card numbers were stolen, according to M&S.
Who’s Behind the Cyberattack?
While M&S has not confirmed attribution, reports suggest:
A group known as Scattered Spider (aka Octo Tempest) is likely involved. Recently, DragonForce, a ransomware group, publicly claimed responsibility, targeting M&S, the Co-op, and Harrods. DragonForce’s platform operates as ransomware-as-a-service (RaaS) — meaning affiliates could be perpetrators. In either case, we must warn our readers and investigators that such claims can be false or misleading.
How Did the Attack Happen?
The suspected attack path includes one or any(if not all) of the following routes:
- Social engineering tactics (e.g., SIM-swapping).
- Impersonation of IT staff to access Active Directory.
- Using DragonForce ransomware in a double extortion model — stealing and encrypting data for ransom.
The Impact on M&S and Its Customers
Online orders were suspended (and STILL remain offline weeks later), as were In-store disruptions, stock shortages, and halted recruitment. This resulted in estimated daily losses of £3.5–£3.8 million. Also, Mark’s and Spenser’s share price dropped 14%, wiping over £1 billion from the market cap in just a few hours.
What Should M&S Customers Do?
M&S is prompting users to reset their passwords and urges caution.
Action Steps as advised by Am I Hacked:
- Reset your M&S password immediately
- Use unique, strong passwords for each account
- Enable two-factor authentication (MFA) using an app (avoid using the SMS service)
- Be alert for phishing emails/texts pretending to be from M&S
- Don’t click suspicious links; instead, try visiting directly the Mark’s and Spenser’s official website
- Monitor your credit report for signs of identity fraud
Need Help?
If you’re concerned your email or personal data might be exposed in other breaches, try our free Data Leak Lookup Tool to check if you’ve been compromised.
am i hacked data leak report
National Authorities Involved
The National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are investigating the M&S Data Leak incident. The Information Commissioner’s Office (ICO) has been notified. At the same time, NCSC has warned about widespread IT help desk impersonation attacks and advised “password reset processes” to reduce the chances of getting hacked.
Official Communication Timeline
- April 22, 2025: M&S detected the attack
- April 25: Online orders paused
- May 13(today): M&S notified customers by email about stolen personal data
How Serious is the May 2025 Mark’s and Spenser’s Data Breach?
Am I Hacked advises its clients and blog post readers to treat this breach seriously. Even without payment details(such as credit card details), data leaks of stolen personal information can fuel phishing, scams, and ID fraud. The attack seems to end up in a ransomware-as-a-service model, which can complicate the attribution channels.
These Highlights the need for stronger cyber resilience in retail
Leave a Reply