Marks and Spencer Company Cyber Security Posture
marksandspencer.comAt M&S, we're dedicated to being the most trusted retailer, prioritising quality and delivering value. Every day, we bring the magic of M&S to our customers, whenever, wherever and however they want to shop with us. For over a century, we've set the standard, doing the right thing and embracing innovation. Today, with over 65,000 colleagues serving 32 million customers globally, we're putting quality products at the heart of everything we do. Tomorrow holds boundless opportunities with us. We're pioneering digital innovation and shaping the future of retail where our values drive every action. We stay close to customers and colleagues, always curious and connected. Our decisions are bold, our actions ambitious. Transparency is paramount, with straightforward, honest communication. We're constantly innovating, always striving for the best. Our focus is on aiming higher and winning together, combined with wise financial decisions to secure our future. Join us at M&S to shape the future of retail.
MS Company Details
marks-and-spencer
37940 employees
633544.0
452
Retail
marksandspencer.com
Scan still pending
MAR_2661945
In-progress
MS Risk Score (AI oriented)Between 800 and 900
This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.
MS Global Score.png)
Marks and Spencer Company Scoring based on AI Models
| Model Name | Date | Description | Current Score Difference | Score |
|---|---|---|---|---|
| AVERAGE-Industry | 03-12-2025 | This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers. | N/A | Between 800 and 900 |
Marks and Spencer Company Cyber Security News & History
| Entity | Type | Severity | Impact | Seen | Url ID | Details | View |
|---|---|---|---|---|---|---|---|
| Marks & Spencer | Ransomware | 75 | 2 | 5/2025 | MAR1041050625 | Link | |
Rankiteo Explanation : Attack limited on finance or reputationDescription: In early 2025, a coordinated ransomware campaign by the DragonForce group infiltrated Marks & Spencerโs IT environment, deploying its encryptor on VMware ESXi hosts that supported critical e-commerce and payment platforms. The attack forced M&S to suspend all online sales for five days while IT teams worked to restore encrypted virtual machines and sanitize systems. During this blackout, the retailer incurred estimated daily losses of ยฃ3.8 million from halted transactions and customer attrition. Investor confidence also took a hit, with the companyโs market capitalization dropping by over ยฃ500 million as trading in M&S shares reflected concerns about operational resilience and surge protection. Although no customer data was exfiltrated, the incident exposed gaps in patch management and incident response processes. Post-incident assessments highlighted the need for stronger network segmentation, faster ransomware detection capabilities, and robust backup and recovery workflows. M&S has since accelerated its cybersecurity investment, deploying next-generation endpoint protection and multi-factor authentication across its cloud and on-premises infrastructure to mitigate future threats. | |||||||
| Marks and Spencer | Ransomware | 100 | 5/2025 | MAR347051325 | Link | ||
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: Marks and Spencer (M&S) has confirmed that customer information has been taken following a cyberattack. The attack has caused significant disruption, with online orders still affected weeks later. In a letter to customers, the retail giant revealed that personally identifiable information (PII) has been stolen by cybercriminals. This forced the firm to disable online shopping orders, click and collect, and contactless payments in some stores. The incident, which seems to have been a ransomware attack, took systems offline and caused undeniable disruption to the retailerโs operation. | |||||||
| Marks & Spencer | Cyber Attack | 85 | 4 | 5/2025 | MAR528051425 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Marks & Spencer, a British retail chain, revealed on Tuesday that some of its customers' personal data had been stolen in a cyberattack. The incident was sophisticated and led to the suspension of online sales and contactless payments. The company emphasized that no payment details or passwords were compromised. Affected customers were notified, but the exact number was not disclosed. The company assured that no further action was necessary beyond resetting passwords. There is no indication that the stolen data has been shared. M&S reported the incident to relevant authorities and law enforcement and continues to collaborate with them. | |||||||
| Marks & Spencer (M&S) | Breach | 85 | 4 | 5/2025 | MAR733051525 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Earlier this week, M&S reported a cyberattack that disrupted its online services for more than three weeks. The attack, believed to be linked to the hacking group 'Scattered Spider,' resulted in the compromise of certain customer data. M&S has informed customers that due to the sophisticated nature of the incident, some of their personal customer data has been taken. | |||||||
| Marks & Spencer | Ransomware | 100 | 5 | 5/2025 | MAR356052125 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: British retailer giant Marks & Spencer (M&S) is facing a potential profit hit of up to ยฃ300 million following a recent ransomware attack that led to widespread operational and sales disruptions. The company confirmed that online retail systems are disabled and expects disruptions to last until July. Food sales have been impacted by reduced availability, and the company has incurred additional waste and logistics costs. Online sales and trading profit in Fashion, Home & Beauty have also been heavily impacted. The attack was linked to the Scattered Spider group, who used a DragonForce encryptor to encrypt virtual machines on VMware ESXi hosts, leading to significant business disruptions and the theft of customer data. | |||||||
| Marks & Spencer | Ransomware | 100 | 5 | 6/2025 | MAR600060925 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: The ransomware collective Scattered Spider, known for their sophisticated tactics, recently targeted Marks & Spencer (M&S) in the UK. The attack involved compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate M&S's systems. The hackers sent an abusive email to M&S's CEO, demanding a ransom payment. This attack highlights Scattered Spider's strategic focus on targeting IT providers and third-party contractors to amplify their reach. | |||||||
| Marks & Spencer | Cyber Attack | 60 | 2 | 6/2025 | MAR821061925 | Link | |
Rankiteo Explanation : Attack limited on finance or reputationDescription: Marks & Spencer (M&S), a fashion retail giant, experienced a cyberattack carried out by a group of English-speaking hackers using the illicit service DragonForce. The attackers used social engineering to gain access to M&S systems through a third party. The incident resulted in a significant financial loss, with the company reporting a loss of operating profit amounting to nearly 300 million pounds ($403 million). The attack raised concerns among shareholders and led to an internal investigation by TCS, the IT service provider for M&S. | |||||||
| Marks and Spencer | Cyber Attack | 85 | 4 | 6/2025 | MAR900062025 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Marks and Spencer (M&S) suffered a significant cyberattack on April 22, 2025, which compromised customer data including home addresses, phone numbers, and dates of birth. The attack is estimated to cost the company around ยฃ300 million in lost operating profit. The DragonForce hacking collective claimed responsibility, demanding payment for the attack. While no passwords or card details were stolen, the breach has raised concerns about data security. | |||||||
| M&S | Ransomware | 100 | 5 | 7/2025 | MAR558070925 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: M&S experienced a ransomware attack carried out by DragonForce, a group believed to be based in Asia or Russia. The attack involved social engineering, where the attacker impersonated an M&S worker and tricked a third party into resetting an employee's password. The attackers threatened to leak and encrypted acquired data, including names, birth dates, addresses, phone numbers, household information, and order histories. About 150GB of data was stolen before M&S shut down systems to prevent further spread, leading to delivery disruptions. Recovery efforts are ongoing, with full recovery expected by October or November 2025. | |||||||
| Marks & Spencer | Ransomware | 100 | 5 | 7/2025 | MAR601070925 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: Marks & Spencer (M&S) experienced a ransomware attack in April, linked to the Scattered Spider hacking collective using DragonForce ransomware. The attack, which was highly sophisticated and involved social engineering through a third party, compromised the retailer's systems significantly. M&S had to shut down large parts of its systems to prevent further damage, heavily affecting areas such as online shopping. The attack was so severe that it was described as an attempt to destroy the business. The retailer is still in the process of securely bringing these systems back up. | |||||||
| Marks and Spencer | Ransomware | 100 | 7/2025 | MAR847071225 | Link | ||
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: A damaging cyber-attack on retailer Marks and Spencer in the UK in April last year has caused a great loss in revenues, with a ยฃ300 million ($403 million) operating profit loss, as its online business was taken offline for seven weeks, and is being rebuilt in stages with the process not yet complete 14 months later. The attack was enabled by a DragonForce ransomware group hacker impersonating an employee, reportedly at M&S contractor Tata Consultancy Services, and gaining unauthorized system access via the M&S help desk. Reports indicate the breach began as early as February 2024, when hackers stole the Windows domainโs NTDS.dit file, containing password hashes for domain users. By cracking these hashes, they accessed the network and deployed ransomware to encrypt virtual machines, disrupting services like contactless payments, click-and-collect, and online ordering. | |||||||
| Marks & Spencer (M&S) | Ransomware | 100 | 5 | 7/2025 | MAR419071725 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: In late April 2025, Marks & Spencer (M&S) was targeted by a ransomware attack linked to the Scattered Spider threat actor. This incident caused significant operational disruption and financial costs, affecting the company's ability to operate normally. The attack disrupted the retailer's supply chain and likely led to the exposure of customer data and payment information, making it a high-severity incident. | |||||||
| Marks & Spencer | Ransomware | 100 | 7/2025 | MAR956072325 | Link | ||
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: British retailer giant Marks & Spencer (M&S) was breached in an April ransomware attack where a DragonForce encryptor was used to encrypt virtual machines on VMware ESXi hosts, forcing M&S to stop accepting online orders and leading to a significant impact on business operations at its 1,400 stores. | |||||||
| M&S | Ransomware | 100 | 5 | 7/2025 | MAR903072925 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: M&S, a major UK retail giant, has been severely impacted by a highly sophisticated cyber campaign attributed to the financially motivated hacking group Scattered Spider. The attackers exploited compromised Active Directory accounts to gain full control of VMware vSphere environments, stealing sensitive data and deploying ransomware. This method bypasses traditional security tools, rendering it invisible to in-guest security agents. The attack not only compromised financial and personal data but also disrupted business operations, causing significant financial loss and damage to the company's reputation. | |||||||
Marks and Spencer Company Subsidiaries
At M&S, we're dedicated to being the most trusted retailer, prioritising quality and delivering value. Every day, we bring the magic of M&S to our customers, whenever, wherever and however they want to shop with us. For over a century, we've set the standard, doing the right thing and embracing innovation. Today, with over 65,000 colleagues serving 32 million customers globally, we're putting quality products at the heart of everything we do. Tomorrow holds boundless opportunities with us. We're pioneering digital innovation and shaping the future of retail where our values drive every action. We stay close to customers and colleagues, always curious and connected. Our decisions are bold, our actions ambitious. Transparency is paramount, with straightforward, honest communication. We're constantly innovating, always striving for the best. Our focus is on aiming higher and winning together, combined with wise financial decisions to secure our future. Join us at M&S to shape the future of retail.
Access Data Using Our API
Get company history
Rapid.png)
MS Cyber Security News
Marks & Spencer restores some online-order operations following cyberattack
The department store chain six weeks ago was one of the first targets in an international spree of attacks disrupting retailers.
TCS launches internal inquiry into Marks & Spencer cybersecurity breach
None
How M&S responds to its cyber-attack could have a serious impact on its future โ and its customers
The cyber-attack on Marks & Spencer will lead to an estimated ยฃ300 million hit to the company's profits this year. It now aims to haveย ...
Marks & Spencerโs cyberattack isnโt an exception - itโs a warning
It doesn't just steal data, it shuts down business operations. That makes it a powerful leverage tool for extortion. When every hour of downtimeย ...
M&S' $400 million cyberattack upheaval to linger into July
The attack on one of the biggest names on the UK high street forced M&S to resort to pen and paper to move billions of pounds of fresh food,ย ...
Four Arrested in ยฃ440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
The U.K. National Crime Agency (NCA) on Thursday announced that four people have been arrested in connection with cyber attacks targetingย ...
Marks & Spencer confirms cybersecurity incident amid ongoing disruption
Retail giant Marks & Spencer has confirmed a cybersecurity incident, as customers report ongoing disruption and outages.
M&S chair calls for mandatory reporting of cyber attacks after "traumatic" ransomware incident โ but will it do more harm than good?
The chair of Marks and Spencer (M&S) has called for companies to be forced to disclose cyber attacks, claiming that two large British companiesย ...
UK retailer Marks & Spencer puts cyberattack cost at $400 million with disruptions ongoing
British retailer Marks & Spencer estimates that a cyberattack that stopped it from processing online orders and left store shelves emptyย ...
MS Similar Companies
PT. Trans Retail Indonesia
Pada bulan Januari 2013, Trans Corp melalui anak perusahaannya, PT Trans Ritel mengambil alih 100% saham PT Carrefour Indonesia sehingga nama perusahaan pun berubah menjadi PT Trans Retail Indonesia. PT Trans Retail Indonesia berinovasi dalam memberikan standar pelayanan kelas dunia di industri r
Harbor Freight Tools
We're a 45 year-old, $8 billion national tool retailer with the energy, enthusiasm, and growth potential of a start-up. We have over 1,500 stores in 48 states across the country and are opening several new locations every week. We offer our customers more than 7,000 tools and accessories, from hand
Menards
Menards home improvement stores are conveniently located throughout the Midwest in a 14-state region. From the novice do-it-yourselfer to the experienced contractor, Menards has something for everyone! As a family-owned and operated business, Menards is truly dedicated to service and quality and is
PT Lion Super Indo
Sejak tahun 1997, Super Indo telah bertumbuh dan berkembang di Indonesia melalui kemitraan bersama Ahold Delhaize yang berasal dari Belanda dan Salim Group dari Indonesia. Didukung lebih dari 10,000 karyawan* yang terlatih, Super Indo berhasil menyediakan berbagai macam barang kebutuhan sehari-hari
C1000
C1000 bestaat inmiddels meer dan 130 jaar en heeft vele ontwikkelingen doorlopen. Zowel in de organisatie als de supermarkten zelf. C1000 bv bestond jarenlang onder de naam Schuitema. In 2009 is besloten om de naam Schuitema om te zetten naar C1000. Schuitema begon eind 1800 toen Jacob Schuitema
Wayfair
Wayfair is the destination for all things home: helping everyone, anywhere create their feeling of home. From expert customer service, to the development of tools that make the shopping process easier, to carrying one of the widest and deepest selections of items for every space, style, and budget,
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
MS CyberSecurity History Information
How many cyber incidents has MS faced?
Total Incidents: According to Rankiteo, MS has faced 14 incidents in the past.
What types of cybersecurity incidents have occurred at MS?
Incident Types: The types of cybersecurity incidents that have occurred include Breach, Cyber Attack and Ransomware.
What was the total financial impact of these incidents on MS?
Total Financial Loss: The total financial loss from these incidents is estimated to be $1.20 billion.
How does MS detect and respond to cybersecurity incidents?
Detection and Response: The company detects and responds to cybersecurity incidents through an enhanced monitoring with strong identity verification, vmware hardening, backup integrity, continuous monitoring and and and third party assistance with professional intermediaries and containment measures with shutting down systems and remediation measures with rebuilding systems and recovery measures with bringing systems back up securely and communication strategy with media channels, including bbc and network segmentation with not heavily segmented and third party assistance with tata consultancy services and and containment measures with shut down systems to prevent further spread and recovery measures with recovery efforts ongoing, full recovery expected by october or november 2025 and communication strategy with calling for greater transparency and cyberattack reporting and and communication strategy with affected customers were notified and containment measures with disabled online shopping orders, disabled click and collect, disabled contactless payments in some stores and communication strategy with letter to customers and remediation measures with restore encrypted virtual machines, sanitize systems and network segmentation with need for stronger network segmentation and enhanced monitoring with faster ransomware detection capabilities.
Incident Details
Can you provide details on each incident?
Incident : Ransomware, Data Theft
Title: Scattered Spider Cyber Campaign
Description: A highly aggressive cyber campaign identified in mid-2025 by Googleโs Threat Intelligence Group (GTIG), targeting major industries including retail, airlines, and insurance. The campaign is attributed to Scattered Spider, a financially motivated hacking group also known as 0ktapus and UNC3944.
Date Detected: mid-2025
Type: Ransomware, Data Theft
Attack Vector: Phone-based social engineering, Compromised Active Directory accounts, VMware vSphere environments
Vulnerability Exploited: Weak identity verification procedures in IT help desks
Threat Actor: Scattered Spider (0ktapus, UNC3944)
Motivation: Financial
Incident : Ransomware
Title: UK Government Plans to Ban Ransom Payments for Public Sector and Critical Infrastructure
Description: The UK government is proposing legislation to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks. This includes local councils, schools, and the NHS. The ban aims to disrupt the business model of cybercriminals and reduce the attractiveness of these organizations as targets. Additionally, businesses not covered by the ban will be required to notify the government if they intend to make a ransom payment, and a mandatory reporting system is being developed.
Type: Ransomware
Attack Vector: Ransomware
Threat Actor: Cybercriminal groups, Many based in RussiaCybercriminal groups, Many based in Russia
Motivation: Financial gain
Incident : Ransomware
Title: Surge in Ransomware Attacks on Retail Sector in Q2 2025
Description: Publicly disclosed ransomware attacks targeting the retail sector globally have surged by 58% in Q2 2025 compared to Q1, with UK-based firms bearing the brunt of this targeting.
Date Publicly Disclosed: 2025-07-16
Type: Ransomware
Threat Actor: Scattered Spider
Motivation: Extortion, Data Theft
Incident : Ransomware
Title: Cyber Attack on Marks and Spencer
Description: A ransomware attack on retailer Marks and Spencer in the UK in April last year caused a significant loss in revenues, with a ยฃ300 million ($403 million) operating profit loss, as its online business was taken offline for seven weeks.
Date Detected: February 2024
Type: Ransomware
Attack Vector: Phishing, Impersonation
Vulnerability Exploited: Unauthorized system access via help desk
Threat Actor: DragonForce ransomware group
Motivation: Financial gain
Incident : Ransomware
Title: Ransomware Attack on Marks & Spencer (M&S)
Description: Marks & Spencer (M&S) experienced a ransomware attack in April, linked to the Scattered Spider hacking collective using DragonForce ransomware infrastructure. The attack was sophisticated and involved social engineering through a third party, Tata Consultancy Services (TCS). M&S had to shut down large parts of its systems to prevent further damage, affecting online shopping and other areas.
Date Detected: 2023-04-17
Date Publicly Disclosed: 2023-07-08
Type: Ransomware
Attack Vector: Social Engineering, Compromised Credentials
Vulnerability Exploited: Compromised credentials from a third party (TCS)
Threat Actor: Scattered Spider (DragonForce)
Motivation: Ransom and extortion
Incident : Ransomware
Title: M&S Ransomware Attack by DragonForce
Description: M&S experienced a ransomware attack attributed to DragonForce, involving social engineering and double extortion.
Type: Ransomware
Attack Vector: Social Engineering, Phishing
Vulnerability Exploited: Password Reset Mechanism
Threat Actor: DragonForce
Motivation: Financial Gain
Incident : Cyberattack
Title: Marks and Spencer Cyberattack
Description: Marks and Spencer (M&S) experienced a major cyberattack on April 22, 2025. The attackers compromised workers at Tata Consultancy Services (TCS), a third-party supplier, to gain access to M&S systems. The attack resulted in the theft of customer data, including home addresses, phone numbers, and dates of birth, but no passwords or payment details were compromised. The DragonForce hacking collective claimed responsibility and demanded a ransom. M&S forecasted a loss of around ยฃ300 million in operating profit.
Date Detected: April 22, 2025
Type: Cyberattack
Attack Vector: Compromised third-party supplier
Vulnerability Exploited: Human element
Threat Actor: DragonForce hacking collective
Motivation: Financial gain
Incident : Cyberattack
Title: Cyberattack on Marks & Spencer
Description: A group of English-speaking hackers used the illicit service known as DragonForce to carry out a cyberattack on the fashion retail giant Marks & Spencer. The attack was carried out through social engineering, where hackers pretended to be someone trustworthy and tricked an employee into giving out passwords or login access.
Date Publicly Disclosed: 2025-06-19
Type: Cyberattack
Attack Vector: Social Engineering
Vulnerability Exploited: Human Factor
Threat Actor: DragonForce
Motivation: Extortion
Incident : Ransomware
Title: Scattered Spider Ransomware Attacks on UK Retailers
Description: Scattered Spider, the ransomware collective, has evolved its arsenal to incorporate more sophisticated tactics, targeting UK retailers including Marks & Spencer (M&S) and Harrods. The group uses advanced social engineering skills and relentless ambition to compromise IT providers and third-party contractors.
Date Publicly Disclosed: 2025-06-05
Type: Ransomware
Attack Vector: Phishing, Credential Harvesting, Social Engineering
Vulnerability Exploited: Compromised Credentials
Threat Actor: Scattered Spider (UNC3944, Octo Tempest)
Motivation: Financial Gain
Incident : Ransomware
Title: Cyberattack on Marks & Spencer
Description: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to ยฃ300 million following a recent cyberattack that led to widespread operational and sales disruptions.
Date Detected: April 2023
Date Publicly Disclosed: Wednesday (specific date not provided)
Type: Ransomware
Attack Vector: DragonForce encryptor on VMware ESXi hosts
Threat Actor: Scattered Spider
Motivation: Financial gain, disruption of operations
Incident : Cyberattack
Title: M&S Cyberattack
Description: M&S reported a cyberattack that disrupted its online services for more than three weeks. The attack, believed to be linked to the hacking group 'Scattered Spider,' resulted in the compromise of certain customer data.
Type: Cyberattack
Threat Actor: Scattered Spider
Incident : Data Breach
Title: Marks & Spencer Cyberattack
Description: Marks & Spencer, a British retail chain, revealed on Tuesday that some of its customers' personal data had been stolen in a cyberattack. The incident was sophisticated and led to the suspension of online sales and contactless payments. The company emphasized that no payment details or passwords were compromised. Affected customers were notified, but the exact number was not disclosed. The company assured that no further action was necessary beyond resetting passwords. There is no indication that the stolen data has been shared. M&S reported the incident to relevant authorities and law enforcement and continues to collaborate with them.
Date Publicly Disclosed: Tuesday
Type: Data Breach
Attack Vector: Cyberattack
Incident : Ransomware Attack
Title: Marks and Spencer Data Breach and Ransomware Attack
Description: Marks and Spencer (M&S) has confirmed that customer information has been taken following a cyberattack. The attack has caused significant disruption, with online orders still affected weeks later. In a letter to customers, the retail giant revealed that personally identifiable information (PII) has been stolen by cybercriminals. This forced the firm to disable online shopping orders, click and collect, and contactless payments in some stores. The incident, which seems to have been a ransomware attack, took systems offline and caused undeniable disruption to the retailerโs operation.
Type: Ransomware Attack
Incident : Ransomware
Title: Ransomware Attack on Marks & Spencer
Description: A coordinated ransomware campaign by the DragonForce group infiltrated Marks & Spencerโs IT environment, deploying its encryptor on VMware ESXi hosts that supported critical e-commerce and payment platforms.
Type: Ransomware
Attack Vector: Encryptor deployed on VMware ESXi hosts
Threat Actor: DragonForce group
Motivation: Financial
What are the most common types of attacks the company has faced?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Phone-based social engineering, Help desk, Compromised credentials from TCS, Social Engineering, Third-party supplier, Third-party access and Compromised Credentials.
Impact of the Incidents
What was the impact of each incident?
Incident : Ransomware, Data Theft MAR903072925
Data Compromised: Sensitive data, Active Directory database
Systems Affected: VMware vSphere environments, ESXi hosts, VCSA
Incident : Ransomware MAR956072325
Financial Loss: Millions of pounds each year
Systems Affected: Local councils, Schools, NHS, British Library, Marks & Spencer, Co-op, Harrods
Downtime: Significant impact on business operations at M&S stores
Operational Impact: Stopped accepting online orders, Restricted internet access
Incident : Ransomware MAR847071225
Financial Loss: ยฃ300 million ($403 million)
Systems Affected: Virtual machines, Contactless payments, Click-and-collect, Online ordering
Downtime: Seven weeks
Operational Impact: Online business taken offline
Revenue Loss: ยฃ300 million ($403 million)
Incident : Ransomware MAR601070925
Systems Affected: Online shopping and other areas
Downtime: Significant
Operational Impact: Business impairing
Incident : Ransomware MAR558070925
Data Compromised: Names, Birth Dates, Addresses, Phone Numbers, Household Information, Order Histories
Operational Impact: Delivery Disruptions
Incident : Cyberattack MAR900062025
Financial Loss: ยฃ300 million
Data Compromised: Home addresses, Phone numbers, Dates of birth
Incident : Cyberattack MAR821061925
Financial Loss: 300 million pounds ($403 million)
Incident : Ransomware MAR356052125
Financial Loss: Up to ยฃ300 million ($402 million)
Data Compromised: Customer data
Systems Affected: Online retail systems, VMware ESXi hosts
Downtime: At least until July
Operational Impact: Widespread operational and sales disruptions
Incident : Cyberattack MAR733051525
Data Compromised: Customer data
Systems Affected: Online services
Downtime: More than three weeks
Incident : Data Breach MAR528051425
Data Compromised: Personal Data
Systems Affected: Online Sales, Contactless Payments
Operational Impact: Suspension of online sales and contactless payments
Incident : Ransomware Attack MAR347051325
Data Compromised: Personally Identifiable Information (PII)
Systems Affected: Online shopping orders, Click and collect, Contactless payments
Downtime: ['Online orders affected for weeks']
Operational Impact: Significant disruption, Systems taken offline
Incident : Ransomware MAR1041050625
Financial Loss: ยฃ3.8 million daily
Systems Affected: VMware ESXi hosts, e-commerce platforms, payment platforms
Downtime: 5 days
Operational Impact: Suspension of all online sales
Revenue Loss: ยฃ3.8 million daily
Brand Reputation Impact: Drop in market capitalization by over ยฃ500 million
What is the average financial loss per incident?
Average Financial Loss: The average financial loss per incident is $85.99 million.
What types of data are most commonly compromised in incidents?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Sensitive data, Active Directory database, Personal Information, Order Histories, Home addresses, Phone numbers, Dates of birth, Customer data, Personal customer data, Personal Data and Personally Identifiable Information (PII).
Which entities were affected by each incident?
Incident : Ransomware MAR956072325
Entity Type: Publicly funded healthcare service
Industry: Healthcare
Location: UK
Incident : Ransomware MAR956072325
Entity Type: Retailer
Industry: Retail
Location: UK
Size: 1,400 stores
Incident : Ransomware MAR956072325
Entity Type: Retailer
Industry: Retail
Location: UK
Customers Affected: Data from many current and former members
Incident : Ransomware MAR356052125
Entity Type: Retailer
Industry: Retail
Location: United Kingdom
Size: 1,400 stores
Response to the Incidents
What measures were taken in response to each incident?
Incident : Ransomware, Data Theft MAR903072925
Enhanced Monitoring: Strong identity verification, VMware hardening, Backup integrity, Continuous monitoring
Incident : Ransomware MAR956072325
Law Enforcement Notified: True
Incident : Ransomware MAR419071725
Law Enforcement Notified: Yes
Incident : Ransomware MAR601070925
Third Party Assistance: Professional intermediaries
Containment Measures: Shutting down systems
Remediation Measures: Rebuilding systems
Recovery Measures: Bringing systems back up securely
Communication Strategy: Media channels, including BBC
Network Segmentation: Not heavily segmented
Incident : Ransomware MAR558070925
Third Party Assistance: Tata Consultancy Services
Law Enforcement Notified: True
Containment Measures: Shut down systems to prevent further spread
Recovery Measures: Recovery efforts ongoing, Full recovery expected by October or November 2025
Communication Strategy: Calling for greater transparency and cyberattack reporting
Incident : Data Breach MAR528051425
Law Enforcement Notified: Yes
Communication Strategy: Affected customers were notified
Incident : Ransomware Attack MAR347051325
Containment Measures: Disabled online shopping orders, Disabled click and collect, Disabled contactless payments in some stores
Communication Strategy: Letter to customers
Incident : Ransomware MAR1041050625
Remediation Measures: Restore encrypted virtual machines, Sanitize systems
Network Segmentation: Need for stronger network segmentation
Enhanced Monitoring: Faster ransomware detection capabilities
How does the company involve third-party assistance in incident response?
Third-Party Assistance: The company involves third-party assistance in incident response through Professional intermediaries, Tata Consultancy Services.
Data Breach Information
What type of data was compromised in each breach?
Incident : Ransomware, Data Theft MAR903072925
Type of Data Compromised: Sensitive data, Active Directory database
Incident : Ransomware MAR419071725
Data Exfiltration: Yes
Incident : Ransomware MAR558070925
Type of Data Compromised: Personal Information, Order Histories
Sensitivity of Data: Medium to High
Data Exfiltration: True
Data Encryption: True
Personally Identifiable Information: True
Incident : Cyberattack MAR900062025
Type of Data Compromised: Home addresses, Phone numbers, Dates of birth
Sensitivity of Data: Medium
Data Exfiltration: Yes
Personally Identifiable Information: Yes
Incident : Ransomware MAR356052125
Type of Data Compromised: Customer data
Data Exfiltration: Yes
Data Encryption: Yes
Incident : Cyberattack MAR733051525
Type of Data Compromised: Personal customer data
Data Exfiltration: True
Personally Identifiable Information: True
Incident : Data Breach MAR528051425
Type of Data Compromised: Personal Data
Incident : Ransomware Attack MAR347051325
Type of Data Compromised: Personally Identifiable Information (PII)
Personally Identifiable Information: True
Incident : Ransomware MAR1041050625
Data Exfiltration: No customer data exfiltrated
What measures does the company take to prevent data exfiltration?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Rebuilding systems, Restore encrypted virtual machines, Sanitize systems.
How does the company handle incidents involving personally identifiable information (PII)?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by shutting down systems, shut down systems to prevent further spread, disabled online shopping orders, disabled click and collect and disabled contactless payments in some stores.
Ransomware Information
Was ransomware involved in any of the incidents?
Incident : Ransomware MAR956072325
Ransomware Strain: DragonForce
Data Encryption: Virtual machines on VMware ESXi hosts
Incident : Ransomware MAR419071725
Data Exfiltration: Yes
Incident : Ransomware MAR847071225
Ransomware Strain: DragonForce
Data Encryption: Virtual machines encrypted
Incident : Ransomware MAR601070925
Ransomware Strain: DragonForce
Incident : Ransomware MAR558070925
Ransomware Strain: DragonForce
Data Encryption: True
Data Exfiltration: True
Incident : Ransomware MAR356052125
Ransomware Strain: DragonForce
Data Encryption: Yes
Data Exfiltration: Yes
Incident : Ransomware MAR1041050625
Data Encryption: Encryptor deployed on VMware ESXi hosts
Data Exfiltration: No customer data exfiltrated
How does the company recover data encrypted by ransomware?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Recovery efforts ongoing, Full recovery expected by October or November 2025.
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident?
Incident : Ransomware MAR601070925
Regulatory Notifications: NCSC
Incident : Data Breach MAR528051425
Regulatory Notifications: Relevant authorities and law enforcement were notified
Lessons Learned and Recommendations
What lessons were learned from each incident?
Incident : Ransomware, Data Theft MAR903072925
Lessons Learned: Proper training and a challenge process to validate the caller is who they say they are can prevent social engineering attacks. Using valid credentials and built-in tools makes it difficult for security teams to discern if they are compromised or not.
Incident : Ransomware MAR847071225
Lessons Learned: Employees should be trained to recognize and report cyber threats promptly. Organizations should foster a culture of transparent and timely communication of cyber threats.
Incident : Ransomware MAR601070925
Lessons Learned: Importance of system segmentation and mandatory reporting of cyber incidents
Incident : Ransomware MAR1041050625
Lessons Learned: Exposed gaps in patch management and incident response processes,Need for stronger network segmentation,Faster ransomware detection capabilities,Robust backup and recovery workflows
What recommendations were made to prevent future incidents?
Incident : Ransomware, Data Theft MAR903072925
Recommendations: Organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring.
Incident : Ransomware MAR847071225
Recommendations: Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately.
Incident : Ransomware MAR558070925
Recommendations: Greater transparency and cyberattack reporting
Incident : Ransomware MAR1041050625
Recommendations: Deploy next-generation endpoint protection, Implement multi-factor authentication
What are the key lessons learned from past incidents?
Key Lessons Learned: The key lessons learned from past incidents are Proper training and a challenge process to validate the caller is who they say they are can prevent social engineering attacks. Using valid credentials and built-in tools makes it difficult for security teams to discern if they are compromised or not.Employees should be trained to recognize and report cyber threats promptly. Organizations should foster a culture of transparent and timely communication of cyber threats.Importance of system segmentation and mandatory reporting of cyber incidentsExposed gaps in patch management and incident response processes,Need for stronger network segmentation,Faster ransomware detection capabilities,Robust backup and recovery workflows.
What recommendations has the company implemented to improve cybersecurity?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring.Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately.Greater transparency and cyberattack reportingDeploy next-generation endpoint protection, Implement multi-factor authentication.
References
Where can I find more information about each incident?
Incident : Ransomware, Data Theft MAR903072925
Source: Googleโs Threat Intelligence Group (GTIG)
Date Accessed: mid-2025
Incident : Ransomware, Data Theft MAR903072925
Source: Thomas Richards, Infrastructure Security Practice Director at Black Duck
Incident : Ransomware MAR956072325
Source: BleepingComputer
Incident : Ransomware MAR847071225
Source: Cohesity Survey
Incident : Ransomware MAR558070925
Source: Reuters
Incident : Cyberattack MAR900062025
Source: TechRadar Pro
Incident : Cyberattack MAR821061925
Source: BBC
Incident : Cyberattack MAR821061925
Source: The Financial Times
Incident : Ransomware MAR600060925
Source: BBC News
Incident : Ransomware MAR356052125
Source: BleepingComputer
Incident : Data Breach MAR528051425
Source: Marks & Spencer
Where can stakeholders find additional resources on cybersecurity best practices?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Googleโs Threat Intelligence Group (GTIG)Date Accessed: mid-2025, and Source: Thomas Richards, Infrastructure Security Practice Director at Black Duck, and Source: BleepingComputer, and Source: BlackFog ReportDate Accessed: 2025-07-16, and Source: Cohesity Survey, and Source: UK Parliament hearing on July 8Date Accessed: 2023-07-08, and Source: Reuters, and Source: TechRadar Pro, and Source: ReutersDate Accessed: 2025-06-19, and Source: BBC, and Source: The Financial Times, and Source: ReliaQuest ReportDate Accessed: 2025-06-05, and Source: BBC News, and Source: BleepingComputer, and Source: Marks & Spencer.
Investigation Status
What is the current status of the investigation for each incident?
Incident : Ransomware MAR601070925
Investigation Status: Ongoing
Incident : Ransomware MAR558070925
Investigation Status: Ongoing
Incident : Cyberattack MAR900062025
Investigation Status: Ongoing
Incident : Cyberattack MAR821061925
Investigation Status: Ongoing
Incident : Ransomware MAR356052125
Investigation Status: Ongoing
How does the company communicate the status of incident investigations to stakeholders?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through were Media channels, including BBC, Calling for greater transparency and cyberattack reporting, Affected customers were notified and Letter to customers.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident?
Incident : Data Breach MAR528051425
Customer Advisories: Reset passwords
What advisories does the company provide to stakeholders and customers following an incident?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Reset passwords.
Initial Access Broker
How did the initial access broker gain entry for each incident?
Incident : Ransomware, Data Theft MAR903072925
Entry Point: Phone-based social engineering
High Value Targets: vSphere administrators, Powerful Active Directory groups
Data Sold on Dark Web: vSphere administrators, Powerful Active Directory groups
Incident : Ransomware MAR847071225
Entry Point: Help desk
Incident : Ransomware MAR601070925
Entry Point: Compromised credentials from TCS
Incident : Ransomware MAR558070925
Entry Point: Social Engineering
Incident : Cyberattack MAR900062025
Entry Point: Third-party supplier
Incident : Cyberattack MAR821061925
Entry Point: Third-party access
Incident : Ransomware MAR600060925
Entry Point: Compromised Credentials
High Value Targets: System Administrators, CFOs, COOs, CISOs
Data Sold on Dark Web: System Administrators, CFOs, COOs, CISOs
Incident : Ransomware MAR1041050625
High Value Targets: VMware ESXi hosts
Data Sold on Dark Web: VMware ESXi hosts
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident?
Incident : Ransomware, Data Theft MAR903072925
Root Causes: Weak identity verification procedures in IT help desks
Incident : Ransomware MAR847071225
Root Causes: Employee impersonation and unauthorized system access
Corrective Actions: Improve employee training and foster a culture of transparent communication
Incident : Ransomware MAR601070925
Root Causes: Compromised credentials and lack of system segmentation
Corrective Actions: Rebuilding systems and improving segmentation
Incident : Ransomware MAR558070925
Root Causes: Social Engineering, Password Reset Mechanism
Incident : Cyberattack MAR821061925
Root Causes: Social engineering and third-party access
Incident : Ransomware MAR1041050625
Corrective Actions: Accelerated cybersecurity investment, Deployed next-generation endpoint protection and multi-factor authentication across cloud and on-premises infrastructure
What is the company's process for conducting post-incident analysis?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Strong identity verification,VMware hardening,Backup integrity,Continuous monitoring, Professional intermediaries, Tata Consultancy Services, Faster ransomware detection capabilities.
What corrective actions has the company taken based on post-incident analysis?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Improve employee training and foster a culture of transparent communication, Rebuilding systems and improving segmentation, Accelerated cybersecurity investment, Deployed next-generation endpoint protection and multi-factor authentication across cloud and on-premises infrastructure.
Additional Questions
General Information
What was the amount of the last ransom demanded?
Last Ransom Demanded: The amount of the last ransom demanded was Yes.
Who was the attacking group in the last incident?
Last Attacking Group: The attacking group in the last incident were an Scattered Spider (0ktapus, UNC3944), Cybercriminal groups, Many based in RussiaCybercriminal groups, Many based in Russia, Scattered Spider, DragonForce ransomware group, Scattered Spider (DragonForce), DragonForce, DragonForce hacking collective, DragonForce, Scattered Spider (UNC3944, Octo Tempest), Scattered Spider, Scattered Spider and DragonForce group.
Incident Details
What was the most recent incident detected?
Most Recent Incident Detected: The most recent incident detected was on mid-2025.
What was the most recent incident publicly disclosed?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07-16.
Impact of the Incidents
What was the most significant data compromised in an incident?
Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive data, Active Directory database, Names, Birth Dates, Addresses, Phone Numbers, Household Information, Order Histories, Home addresses, Phone numbers, Dates of birth, Customer data, Customer data, Personal Data and Personally Identifiable Information (PII).
What was the most significant system affected in an incident?
Most Significant System Affected: The most significant system affected in an incident were VMware vSphere environments, ESXi hosts, VCSA and Local councils, Schools, NHS, British Library, Marks & Spencer, Co-op, Harrods and Virtual machines, Contactless payments, Click-and-collect, Online ordering and Online shopping and other areas and Online retail systems, VMware ESXi hosts and Online services and Online Sales, Contactless Payments and Online shopping orders, Click and collect, Contactless payments and VMware ESXi hosts, e-commerce platforms, payment platforms.
Response to the Incidents
What third-party assistance was involved in the most recent incident?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Professional intermediaries, Tata Consultancy Services.
What containment measures were taken in the most recent incident?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Shutting down systems, Shut down systems to prevent further spread, Disabled online shopping orders, Disabled click and collect and Disabled contactless payments in some stores.
Data Breach Information
What was the most sensitive data compromised in a breach?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive data, Active Directory database, Names, Birth Dates, Addresses, Phone Numbers, Household Information, Order Histories, Home addresses, Phone numbers, Dates of birth, Customer data, Customer data, Personal Data and Personally Identifiable Information (PII).
Ransomware Information
What was the highest ransom demanded in a ransomware incident?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was Yes.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Exposed gaps in patch management and incident response processes,Need for stronger network segmentation,Faster ransomware detection capabilities,Robust backup and recovery workflows.
What was the most significant recommendation implemented to improve cybersecurity?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring., Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately., Greater transparency and cyberattack reporting, Deploy next-generation endpoint protection, Implement multi-factor authentication.
References
What is the most recent source of information about an incident?
Most Recent Source: The most recent source of information about an incident are Googleโs Threat Intelligence Group (GTIG), Thomas Richards, Infrastructure Security Practice Director at Black Duck, BleepingComputer, BlackFog Report, Cohesity Survey, UK Parliament hearing on July 8, Reuters, TechRadar Pro, Reuters, BBC, The Financial Times, ReliaQuest Report, BBC News, BleepingComputer and Marks & Spencer.
Investigation Status
What is the current status of the most recent investigation?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued?
Most Recent Customer Advisory: The most recent customer advisory issued was an Reset passwords.
Initial Access Broker
What was the most recent entry point used by an initial access broker?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Social Engineering, Compromised Credentials, Compromised credentials from TCS, Phone-based social engineering, Third-party supplier, Help desk and Third-party access.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Weak identity verification procedures in IT help desks, Employee impersonation and unauthorized system access, Compromised credentials and lack of system segmentation, Social Engineering, Password Reset Mechanism, Social engineering and third-party access.
What was the most significant corrective action taken based on post-incident analysis?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Improve employee training and foster a culture of transparent communication, Rebuilding systems and improving segmentation, Accelerated cybersecurity investment, Deployed next-generation endpoint protection and multi-factor authentication across cloud and on-premises infrastructure.
What Do We Measure?
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
