MS A.I CyberSecurity Scoring
MS
Company Information
Website:https://jobs.marksandspencer.com/
Employees number:40,198
Number of followers:781,632
NAICS:43
Industry Type:Retail
Homepage:marksandspencer.com
MS Risk Score (AI oriented)
Between 0 and 549
MSRetail
Updated:
30/06/2026
30/06/2026
100/1000
Critical
C
MS Global Score (TPRM)
xxxx
MSRetail
Score locked

MSCritical
Current Score
100C (CRITICAL)
01000
31 incidents
0 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
100
JUNE 2026
100
MAY 2026
100
Ransomware
01 May 2026 • MS
Marks & Spencer and Vendor: How safe is your money from cyber attack?
Cybersecurity Threats in Finance: AI, Quantum Risks, and Ransomware Surge
100
CRITICAL0
MARVEN1777695899
Cybersecurity Threats in Finance: AI, Quantum Risks, and Ransomware Surge
A recent wave of cyber threats has exposed critical vulnerabilities in the financial sector, with banks and regulators scrambling to bolster defenses against sophisticated attacks. The emergence of Anthropic’s Mythos AI model capable of identifying thousands of "high-severity" flaws in financial software has alarmed global regulators, including the Bank of England (BoE) and Financial Conduct Authority (FCA). Bank of England Governor Andrew Bailey and JPMorgan CEO Jamie Dimon have both warned of Mythos’s potential to enable zero-day exploits, leaving institutions with no time to patch vulnerabilities before attackers strike.
### The Cyber Kill Chain and Financial Sector Defenses
Financial institutions follow the Lockheed Martin cyber kill chain model, a seven-stage framework outlining attack progression from reconnaissance to data exfiltration. To counter threats, banks conduct CBEST (Critical National Infrastructure Banking Supervision and Evaluation Testing), a BoE-FCA program simulating real-world attacks. These exercises pit red teams (attackers) against blue teams (defenders), testing response playbooks that dictate actions like freezing transfers, deploying backups, or isolating networks.
Despite these efforts, gaps persist. A 2025 CBEST report revealed foundational weaknesses, including social engineering vulnerabilities and insecure helpdesk protocols, where staff were tricked into granting system access. Multi-factor authentication (MFA) and third-party risk management remain critical, yet attackers increasingly exploit supply chain flaws evidenced by a 2024 ransomware attack on Marks & Spencer, where hackers breached a vendor before encrypting internal systems.
### Ransomware and Extortion Tactics
A hypothetical but plausible scenario illustrates the escalating threat: a triple extortion attack where hackers steal customer data, encrypt systems, and disable backups, demanding £1 billion in cryptocurrency. Such incidents, though rare in the UK, have surged globally, with one in three material cyber incidents reported to the FCA (2025–2026) involving ransomware. The Financial Services Compensation Scheme (FSCS) protects deposits up to £120,000, but prolonged outages some lasting weeks risk eroding customer trust.
### Quantum Computing: The Next Frontier
Quantum computing poses an existential threat to encryption, with experts like Dr. Ali El Kaafarani (PQShield) comparing its impact to a "digital nuclear bomb." The National Cyber Security Centre (NCSC) has set a 2035 deadline for critical infrastructure, including banks, to adopt post-quantum cryptography algorithms resistant to quantum decryption. While quantum computers remain costly and complex, their potential to decrypt financial data has accelerated defensive preparations.
### Third-Party Risks and Insider Threats
Banks’ reliance on vendors has expanded the attack surface, with phishing, credential theft, and impersonation becoming common entry points. A 2024 incident saw a North Korean operative infiltrate a UK firm as an employee, highlighting insider threats. Regulators now enforce tiered supplier compliance, with stricter controls for critical services (e.g., cloud providers) versus low-risk vendors (e.g., office suppliers).
### Regulation vs. Reality
While financial institutions lead in cybersecurity due to strict BoE-FCA regulations, experts caution that compliance ≠ security. Lorenzo Grillo (Alvarez & Marsal) notes that even well-regulated banks struggle with human error a persistent weak link. Meanwhile, crypto firms, lacking comparable oversight, saw $2.7 billion stolen in 2025, diverting hacker attention from traditional banks.
The financial sector’s proactive measures war games, AI-driven threat detection, and quantum-resistant encryption offer some reassurance. Yet the Mythos AI model’s revelations, coupled with rising ransomware and quantum risks, underscore that cybersecurity remains a high-stakes, evolving battle.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
100
Cyber Attack
30 Apr 2026 • MS
ByBit, CrowdStrike and Marks & Spencer: How cyber security is changing in the age of AI
AI-Powered Cyber Threats and Major Cyber Incidents (2025-2026)
100
CRITICAL0
MARBYBCRO1777746530
AI-Powered Cyber Threats Reshape the Security Landscape
The rapid adoption of artificial intelligence (AI) has escalated cyber threats, enabling more sophisticated, automated, and damaging attacks. According to the Global Cybersecurity Outlook 2026 from the World Economic Forum, AI has introduced new attack vectors, increasing both the frequency and severity of cyber incidents.
A stark example emerged in April when Anthropic opted not to publicly release its Claude Mythos large language model after tests revealed thousands of critical vulnerabilities in major operating systems and browsers. Instead, the company launched Project Glasswing, restricting Mythos to vetted partners like Apple, Microsoft, and Cisco to develop defensive measures against potential misuse by threat actors.
### Rising Risks and Financial Fallout
Corporate concerns over cyber risk are intensifying. The Bank of England’s Systemic Risk Report for late 2025 found that 86% of companies ranked cyber risk among their top five threats up from 72% earlier in the year. A Proofpoint survey of 1,600 CISOs revealed that 66% experienced material data losses in the past year, a jump from 46% in 2024. In India, 99% of CISOs reported system compromises in the last 12 months.
The financial toll is staggering. Cybercrime costs reached $10.5 trillion in 2025, with projections hitting $15.6 trillion by 2029. Ransomware payments surged, with the median demand increasing 368% between 2025 and 2026 to nearly $60,000. Despite stagnant ransom payments post-2023, the number of reported attacks continued to climb.
### Key Vulnerabilities: Identity, Supply Chains, and Human Error
Cyber threats exploit three primary weaknesses:
1. Legitimate Identity Abuse – CrowdStrike’s 2026 Global Threat Report found that 82% of intrusions involved no malware, instead relying on stolen credentials or trusted systems to blend into normal activity.
2. Supply Chain and Third-Party Risks – The Verizon Data Breach Investigations Report 2025 noted that 30% of breaches involved third parties, double the previous year’s rate. High-profile incidents, like the 2020 SolarWinds attack, demonstrated how compromised software updates can create widespread backdoors.
3. Internet-Facing Systems – Exploits of public-facing applications rose 44% in a year, with 40% of initial breaches originating from such systems. Many vulnerabilities required no authentication, making them prime targets.
Human error remains a persistent weak point. The Verizon report found that 60% of breaches involved human factors, from phishing to poor digital hygiene. Remote work has further complicated security, with 40% of UK workers operating in hybrid or fully remote setups, expanding attack surfaces beyond traditional firewalls.
### AI’s Dual Role: Accelerating Attacks and Defenses
AI has lowered the barrier for cybercriminals, enabling faster, more automated attacks. CrowdStrike reported an 89% year-over-year increase in AI-driven adversary activity, with average eCrime breakout times dropping to 29 minutes (down from 98 minutes in 2020). Some intrusions achieved data exfiltration in just four minutes.
AI also aids defenders. Anthropic’s Mythos, though withheld from public release, helps vetted partners identify and patch vulnerabilities. However, the cat-and-mouse dynamic persists Sumsub’s CTO warned of potential gaps where new fraud techniques temporarily outpace detection systems.
### Notable Incidents and Lessons
- Marks & Spencer (April 2025) – A breach by the hacking group Scattered Spider cost the retailer £300 million in lost profits and £600 million in market value. The attack reportedly exploited IT help desk workers through social engineering.
- ByBit (February 2025) – A supply-chain compromise led to $1.5 billion in stolen cryptocurrency after North Korean attackers distributed trojanized software.
- CrowdStrike Outage (2024) – A faulty software update caused the largest global IT disruption to date, affecting 8.5 million Windows systems across airlines, hospitals, and governments highlighting the risks of over-reliance on single vendors.
### Emerging Threats and Defensive Shifts
AI-generated deepfakes and synthetic identities are becoming more convincing, with Sumsub noting that LLMs can now fabricate entire identities for verification bypass. Meanwhile, state-sponsored actors, like North Korea’s operatives, have used fake job applications to infiltrate Western companies.
To counter these threats, experts emphasize:
- Zero-trust architecture – Treating identity systems as critical infrastructure.
- Supply chain scrutiny – Contracts with third parties must include breach notifications, AI usage disclosures, and liability clauses.
- AI-driven defenses – Leveraging AI for vulnerability detection while maintaining human oversight to avoid over-reliance on automated systems.
As AI continues to reshape cyber warfare, organizations must prioritize speed, resilience, and foundational security balancing innovation with the risks of an increasingly interconnected digital landscape.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
100
Cyber Attack
26 Apr 2026 • MS
Marks & Spencer: Lee & Lee Country Club Data Breach Suspected North Korean Hackers
Major Ransomware Attack Disrupts Global Supply Chains
100
CRITICAL0
MAR1777213657
Cybersecurity Alert: Major Ransomware Attack Disrupts Global Supply Chains
A sophisticated ransomware attack has struck KNP Logistics Group, a leading UK-based logistics and supply chain provider, causing significant disruptions to operations across Europe and North America. The incident, detected on June 12, 2024, forced the company to take critical systems offline, halting shipments and delaying deliveries for major retail and manufacturing clients.
The attack, attributed to the LockBit ransomware group, encrypted key data and demanded a multi-million-dollar ransom. While KNP Logistics has not confirmed whether a payment was made, the company acknowledged the breach in a statement, citing "unauthorized access to certain IT systems." Cybersecurity experts warn that the attack may have exposed sensitive customer data, including shipment details and financial records.
The disruption has rippled through global supply chains, with reports of delayed orders from Tesco, Marks & Spencer, and other major retailers. Industry analysts estimate the financial impact could exceed £50 million, factoring in operational downtime, recovery costs, and potential regulatory fines under GDPR and other data protection laws.
Authorities, including the UK’s National Cyber Security Centre (NCSC) and Interpol, are investigating the incident. LockBit, known for high-profile attacks on critical infrastructure, has previously targeted healthcare, government, and transportation sectors. This latest breach underscores the growing threat ransomware poses to supply chain resilience, particularly as attackers increasingly exploit third-party vulnerabilities.
KNP Logistics is working with forensic teams to restore systems, but full recovery timelines remain unclear. The incident serves as a stark reminder of the cascading effects cyberattacks can have on interconnected industries.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
100
FEBRUARY 2026
100
Breach
04 Feb 2026 • MS
TaskUs, Coinbase, Discord and Marks & Spencer: Coinbase confirms insider breach linked to leaked support tool screenshots
Coinbase Insider Breach Impacting 30 Customers
100
CRITICAL0
MARCOIDISTAS1770173590
Coinbase Confirms Insider Breach Impacting 30 Customers in December Incident
Coinbase has disclosed an insider breach involving a contractor who improperly accessed the personal data of approximately 30 customers in December. The company confirmed the incident after threat actors known as Shiny Lapsus Hunters (SLH) briefly posted screenshots of an internal support interface on Telegram, revealing customer details such as names, email addresses, phone numbers, KYC information, wallet balances, and transaction histories.
The contractor, who no longer works with Coinbase, was detected by the company’s security team last year. Affected users were notified and provided with identity theft protection services, while regulators were informed as part of standard protocol. This breach is unrelated to a separate January 2025 incident involving TaskUs, an outsourcing firm that provides support services to Coinbase.
The screenshots shared by SLH suggest the group may have obtained the data through an insider or by circulating stolen information among threat actors. SLH has previously claimed to have bribed insiders at other firms, including CrowdStrike, to gain access to internal systems.
Rising Threats to Business Process Outsourcing (BPO) Firms
The incident highlights a growing trend of threat actors targeting BPO companies third-party firms handling customer support, IT services, and account management for organizations. Since BPO employees often have access to sensitive systems and data, they have become prime targets for attacks.
Common tactics include:
- Bribing insiders to steal or share customer information, as seen in the Coinbase and TaskUs breaches.
- Social engineering support staff to gain unauthorized access, such as the Clorox breach, where attackers impersonated an employee to compromise a Cognizant help desk agent, leading to a $380 million lawsuit.
- Compromising BPO employee accounts to access customer data, as in Discord’s October breach, where a support agent’s account at an outsourced provider was used to extract data from 5.5 million users.
Recent attacks on retailers like Marks & Spencer and Co-op have also involved social engineering against support personnel, prompting the U.K. government to issue guidance on mitigating such threats. The shift toward targeting BPOs reflects a broader strategy by threat actors to exploit third-party access rather than directly breaching corporate networks.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JANUARY 2026
100
Breach
01 Jan 2026 • MS
Marks & Spencer: Brazil Leads the World in Global Identity Security Survey: RSA ID IQ Report Unveils Top Identity Threats
RSA 2026 Identity-Related Breach Report Findings
100
CRITICAL0
MAR1768480120
RSA Report: Identity-Related Breaches Surge, Costs Skyrocket in 2026
A new global report from RSA reveals a sharp rise in identity-related breaches, with 69% of organizations experiencing such incidents in the last three years a 27-percentage-point increase year-over-year. The 2026 RSA ID IQ Report, based on insights from over 2,100 cybersecurity, IAM, and IT professionals, highlights escalating risks, financial impacts, and emerging attack vectors in identity security.
Key findings include:
- Breach frequency and costs: Identity-related breaches have surged by 64% relative to the previous year, with 45% of organizations reporting costs exceeding IBM’s typical breach benchmark. Notably, 24% faced losses exceeding $10 million, a three-point increase from 2025.
- Top threats: IT help desk bypass and social engineering attacks have become a major concern, with 65% of organizations worried about a repeat of high-profile breaches like those at MGM Resorts, Caesars Entertainment, and Marks & Spencer. Over half (51%) now view service desk attacks as their most significant risk.
- Passwordless adoption: Brazil leads globally in passwordless authentication, with 50% of respondents using it at least half the time nine points above the global average.
- AI in cybersecurity: While 83% of professionals believe AI will benefit cybersecurity more than cybercrime in the next three years, 91% of organizations plan to integrate AI into their tech stacks this year. Brazil stands out for its high AI adoption but also expresses the greatest skepticism about its security benefits.
RSA CEO Greg Nelson emphasized the urgency of addressing identity vulnerabilities, stating that the "likelihood of a breach and the cost of inaction are too high for leaders to tolerate the status quo." The report underscores the need for organizations to reassess their identity security strategies amid evolving threats.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
100
Cyber Attack
29 Dec 2025 • MS
Adidas, Heathrow Airport, Harrods, Marks and Spencer, Co-op Group and Jaguar Land Rover: How 2025 Became The Year Of The Cyberattack For British Businesses
100
CRITICAL0
ADIHEAHARMARTHEJAG1767017696
2025: A Year of Rising Costs—and Escalating Cyber Threats for UK Businesses
As 2025 draws to a close, UK businesses and charities have faced a surge in financial pressures—from soaring employment costs and supply chain disruptions to oil and tariff shocks. Yet, one of the most damaging expenses has been the fallout from cyberattacks, which have hit nearly half of British companies and 30% of charities over the past year.
High-profile victims include retail giants Marks & Spencer, Adidas, and the Co-op Group, as well as Heathrow Airport, Harrods, and Jaguar Land Rover (JLR). The public sector hasn’t been spared either: Germany’s parliament and the UK Foreign Office (breached in October) were among those targeted. Attacks ranged from phishing scams to full-scale digital shutdowns, with some incidents costing hundreds of millions.
The scale of cybercrime has reached staggering proportions. Cybersecurity Ventures estimates the global cost of cyberattacks in 2025 at $10.5 trillion (£7.8 trillion)—a figure that would rank cybercrime as the world’s third-largest economy, trailing only the US and China. The financial and operational toll underscores the growing threat to organizations across sectors.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
NOVEMBER 2025
100
OCTOBER 2025
100
Cyber Attack
14 Oct 2025 • MS
Marks & Spencer, Jaguar Land Rover and Co-op Group: Cyber-attacks rise by 50% in past year, UK security agency says
UK Surge in Cyber-Attacks by State-Backed Threats
100
CRITICAL0
MARCO-JAG1771151062
UK Faces Surge in Cyber-Attacks as State-Backed Threats Intensify
The UK’s cybersecurity landscape has grown increasingly volatile, with "highly significant" cyber-attacks rising by 50% over the past year, according to the National Cyber Security Centre (NCSC). The agency, part of GCHQ, now responds to a nationally significant attack more than every other day a sharp increase driven by ransomware, state-sponsored threats, and the expanding digital attack surface.
In its annual review, the NCSC identified China, Russia, Iran, and North Korea as the primary state-backed adversaries, with Russia described as "capable and irresponsible" and China as "highly sophisticated." The report highlights a surge in ransomware incidents, often carried out by criminal groups, alongside state-aligned hacktivism. Over the past year, the NCSC handled 429 cyber incidents nearly half classified as nationally significant including 18 "highly significant" attacks that disrupted government operations, essential services, or the economy. Victims included major retailers like Marks & Spencer and the Co-op Group.
Government officials, including Chancellor Rachel Reeves and Security Minister Dan Jarvis, have urged businesses of all sizes to treat cyber-resilience as a board-level priority, warning that hostile activity has become "more intense, frequent, and sophisticated." GCHQ Director Anne Keast-Butler emphasized the need for proactive risk management, stating, "Prioritise cyber risk management, embed it into your governance, and lead from the top."
The NCSC also noted the growing role of artificial intelligence in cyber threats, predicting that AI will "almost certainly pose cyber-resilience challenges" through at least 2027. While no AI-initiated attacks have been confirmed, adversaries are already leveraging the technology to refine their tactics. Meanwhile, Russia’s influence extends beyond state operations, inspiring hacktivist groups targeting the UK, US, and NATO allies. Recent disruptions such as the cyber-attack on Jaguar Land Rover, which halted manufacturing, and the airport outages affecting London Heathrow underscore the real-world consequences of these threats.
Domestic cybercrime remains a concern as well. Last week, two 17-year-olds were arrested in Hertfordshire over an alleged ransomware attack on the Kido nursery chain, exposing children’s data. NCSC CEO Richard Horne warned of the emotional toll on victims, noting, "I’ve sat in too many rooms with individuals deeply affected by these attacks the worry, the sleepless nights, the disruption to staff, suppliers, and customers."
With the UK recording its highest level of cyber threat activity in nine years, the NCSC’s findings signal a critical shift in the severity and frequency of digital attacks, demanding heightened vigilance across sectors.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
SEPTEMBER 2025
100
Ransomware
02 Sep 2025 • MS
Marks & Spencer
DragonForce Ransomware Cartel Emerges from Conti’s Leaked Source Code
100
CRITICAL0
MAR1193411110425
Marks & Spencer (M&S), a prominent UK retailer, fell victim to a coordinated ransomware attack linked to the DragonForce cartel and its affiliate Scattered Spider. The incident involved the deployment of DragonForce-built ransomware, leveraging Conti’s leaked source code with advanced encryption (ChaCha20 + RSA) and network-spreading capabilities via SMB. The attack targeted both local and shared network storage, with operators threatening to delete decryptors and leak stolen data if ransom demands were unmet by deadlines (September 2 and 22).The breach disrupted M&S’s operations, risking customer data exposure, financial fraud, and reputational damage due to media coverage. DragonForce’s cartel model—recruiting affiliates like Devman and Scattered Spider—amplified the attack’s sophistication, combining initial access tactics with aggressive data exfiltration. While the full scope of compromised data (e.g., payment details, personal records) remains undisclosed, the incident aligns with DragonForce’s pattern of high-impact extortion, including threats to publish sensitive information. The attack underscores the escalating risks posed by ransomware-as-a-service (RaaS) ecosystems, where collaborative cybercriminal groups exploit enterprise vulnerabilities for maximal disruption and profit.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
AUGUST 2025
100
Cyber Attack
29 Aug 2025 • MS
Marks & Spencer (M&S)
Cyber Attacks on UK Retailers Including M&S, Co-op, Cartier, Harrods, and LVMH
100
CRITICAL0
MAR628082925
Marks & Spencer (M&S) suffered a significant cyber attack executed by the hacking group ScatteredSpider, resulting in a £300 million loss in profits. The attack disrupted M&S’s systems, highlighting the severe financial and operational consequences even for well-established brands. The incident underscores the escalating threat landscape, where sophisticated cybercriminals—empowered by AI and Cybercrime-as-a-Service (CaaS)—target high-profile organizations. Beyond immediate financial damage, the breach eroded customer trust, increased recovery costs, and exposed vulnerabilities in M&S’s cybersecurity posture. The attack serves as a stark warning to businesses of all sizes, emphasizing the need for proactive security measures rather than reactive responses. With cyber insurance premiums rising and regulatory pressures (e.g., the upcoming Cyber Security and Resilience Bill) mandating resilience, M&S’s case illustrates how inadequate defenses can lead to long-term reputational harm and operational disruptions, particularly when critical systems or financial data are compromised.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
JULY 2025
100
Ransomware
15 Jul 2025 • MS
Belk and Marks & Spencer: Marks & Spencer hackers hit US retailer Belk
DragonForce Ransomware Group Strikes US Retailer Belk in Major Cyberattack
100
CRITICAL0
BELMAR1770616665
DragonForce Ransomware Group Strikes US Retailer Belk in Major Cyberattack
The US department store chain Belk has fallen victim to a cyberattack by the DragonForce ransomware group, the same threat actor behind the recent £300 million ($403 million) attack on UK retailer Marks & Spencer (M&S). The breach, disclosed in early June via a filing with the New Hampshire Attorney General’s Office, involved unauthorized access to corporate systems and sensitive customer data.
Researchers from Cybernews confirmed the legitimacy of the leak, which includes names, dates of birth, addresses, phone numbers, email addresses, and order histories data that could be exploited by malicious actors, data brokers, or insurance companies for profiling. The exposed information also encompasses store coupons, employee records, and data from Belk’s mobile app infrastructure. While the exact number of affected individuals remains unclear, estimates suggest up to a million users may be impacted, though some accounts are likely test profiles.
DragonForce, which first emerged in 2023, has rapidly expanded its operations, targeting 104 organizations in the past year. The group operates a dark web blog where it lists victims and shares stolen data. In Belk’s case, attackers claim to have exfiltrated 156GB of company data, including backups and employee profiles. The gang initially stated it had no intention of "destroying" Belk’s business but resorted to destructive measures after the company refused to pay the ransom.
The attack has had significant financial repercussions for M&S, forcing its online clothing operations offline, disrupting food supply chains, and wiping over £1 billion from its stock market value. Online sales and trading profits in the affected division have been "heavily impacted" due to the suspension of e-commerce services.
Belk, founded in 1888, operates nearly 300 stores across 16 US states and reported $4 billion in revenue last year. The incident underscores the growing threat posed by ransomware groups like DragonForce, which has also hijacked infrastructure from rival gangs such as BlackLock, Mamona, and RansomHub in a bid to dominate the cybercriminal landscape.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JULY 2025
100
Ransomware
01 Jul 2025 • MS
Marks and Spencer (M&S)
Series of Cyber Attacks on UK Retailers (April–June 2024)
100
CRITICAL0
MAR5392253090725
Marks and Spencer (M&S) suffered a significant ransomware attack over the Easter weekend, with repercussions lasting over two months. The attack suspended all online orders and disabled contactless payments in physical stores, severely disrupting operations. While customer data was accessed, M&S confirmed that payment details and passwords remained secure. However, the financial fallout was catastrophic—£300 million was wiped from its market value, marking it as the most financially damaging cyber attack in UK retail history. Recovery has been slow, with some online ordering and delivery services still unavailable weeks later. The attack not only crippled revenue streams but also eroded customer trust, risking long-term reputational harm. The incident aligns with a broader trend of retailers being targeted for their vast customer databases and critical payment infrastructure, amplifying operational and financial vulnerabilities.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2025
100
Ransomware
16 Jun 2025 • MS
Marks & Spencer (M&S)
2025 Retail Cyberattacks: Marks & Spencer, Co-op, and Louis Vuitton Breaches
100
CRITICAL0
MAR1993619102425
In 2025, Marks & Spencer (M&S) suffered a high-profile cyberattack over Easter, involving ransomware, payment system disruption, and third-party exploitation. The breach caused major operational downtime, leading to significant financial losses due to halted transactions and recovery efforts. The attack disrupted business continuity, eroded customer trust, and exposed vulnerabilities in M&S’s supply chain and internal security posture. While the exact scale of data exposure remains undisclosed, the incident highlighted the retailer’s susceptibility to multi-vector attacks, combining credential abuse, lateral movement, and ransomware deployment. The fallout included reputational damage, regulatory scrutiny, and the urgent need for overhauls in identity access management, real-time threat detection, and incident response protocols. The attack underscored how even established brands with sophisticated defenses remain at risk without proactive visibility across digital infrastructure.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
JUNE 2025
100
Breach
13 Jun 2025 • MS
Cartier, Marks & Spencer and Victoria’s Secret: UPDATE: May Cyber Attack Expected to Cost Victoria’s Secret $20 Million
Retail Cyberattacks Surge: Victoria’s Secret, The North Face, and Cartier Among Latest Victims
100
CRITICAL0
VICMARCAR1772649374
Retail Cyberattacks Surge: Victoria’s Secret, The North Face, and Cartier Among Latest Victims
A wave of cyberattacks has targeted major retailers in recent weeks, disrupting operations and exposing customer data. Victoria’s Secret, The North Face, and Cartier are among the latest brands to report security breaches, highlighting the growing threat to the retail sector.
Victoria’s Secret Hit by Undisclosed Cyberattack
Victoria’s Secret experienced a security incident in late May, forcing the company to shut down its website and pause some in-store services from May 26 to May 29, 2025. While stores remained open, the outage delayed the company’s fiscal Q1 earnings report, though financial results released on June 11 showed net sales of $1.35 billion, exceeding expectations. However, the breach is projected to cost the company $20 million in Q2 net sales due to service disruptions.
The North Face and Cartier Report Separate Breaches
The North Face, owned by VF Corp., disclosed a "small-scale" credential-stuffing attack in April 2025, where hackers used leaked login details from other breaches to access customer accounts. No financial data was compromised, but names and emails were exposed.
Luxury brand Cartier also confirmed a breach, revealing that an unauthorized party accessed customer data, including purchase history, shipping addresses, birth dates, and phone numbers. The company did not specify when the attack occurred.
Retail Sector Under Siege
These incidents follow a string of attacks on other retailers this month, including Marks & Spencer, Dior, Harrods, and Adidas. The Adidas breach, linked to a third-party customer service provider, underscored the risks of supply chain vulnerabilities. Cybersecurity experts warn that retailers are prime targets due to the vast amounts of sensitive customer data they handle, with 46% of retail security professionals reporting data loss from attacks in the past year.
The financial and reputational toll is significant companies face network outages, customer account compromises, and long-term trust erosion, with some losing over 10% of annual revenue after breaches. While details of the Victoria’s Secret attack remain undisclosed, the incident reflects a broader trend of coordinated or opportunistic attacks on the retail industry.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2025
100
Ransomware
01 Jun 2025 • MS
Harrods, Marks & Spencer, Co-Op and British Horseracing Authority: British Horseracing Authority hit by ransomware
British Horseracing Authority (BHA) Ransomware Attack
100
CRITICAL0
HARMARTHEBRI1769526687
UK Organizations Face Rising Ransomware Threats as Cyberattacks Intensify
The British Horseracing Authority (BHA) became the latest UK organization to suffer a ransomware attack in early June 2025, compromising multiple servers within its IT infrastructure. While core racing operations and general administration remained unaffected, the incident forced some IT staff to work remotely as authorities worked to contain the breach. The responsible ransomware group has not been identified, with details kept confidential for security reasons.
The attack is part of a broader surge in cyber threats targeting Western entities, particularly in the UK. Recent victims include retail giants Marks & Spencer, which fell to the DragonForce ransomware and took five weeks to recover, as well as Co-Op and Harrods, both hit in the past two months. Cybercriminals are increasingly drawn to Western organizations due to two key factors: financial incentives businesses in these regions are more likely to pay ransoms to avoid operational collapse and perceived security gaps, where weak defenses make breaches easier and more profitable.
Ransomware tactics have also grown more aggressive. Beyond encrypting data, attackers now employ double extortion, stealing sensitive information before locking systems and threatening to leak it on the dark web if demands aren’t met. In rare cases, they escalate to triple extortion, targeting victims’ customers and partners to inflict reputational damage.
As cyber threats evolve in sophistication, the long-term impact on businesses and public institutions remains a pressing concern. The BHA incident underscores the escalating risks faced by organizations across sectors, with no clear resolution in sight.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
MAY 2025
100
Cyber Attack
22 May 2025 • MS
Harrods, Marks & Spencer, Co-op and Peter Green Chilled: Ransomware attack hits food supply chain, exposes retail risks
Ransomware Attack on Peter Green Chilled Disrupts UK Food Supply Chain
100
CRITICAL0
THEHARMARPET1770508437
Ransomware Attack on Peter Green Chilled Disrupts UK Food Supply Chain
A ransomware attack on Peter Green Chilled, a key distributor of refrigerated goods to major UK supermarkets, has caused significant disruptions to food deliveries across the country. The incident adds to a growing wave of cyberattacks targeting the retail and logistics sectors, following recent breaches at Marks & Spencer, the Co-op, and Harrods.
The attack has exposed vulnerabilities in the UK’s supply chain, leading to delays, potential shortages, and concerns over consumer panic buying. Experts warn that such disruptions highlight the high stakes of cybersecurity in retail, where even brief outages can ripple through digital and physical operations.
Andy Norton, European Cyber Risk Officer at Armis, emphasized that the sector’s reliance on digital supply chains, operational continuity, and customer data makes it a prime target. Data from Armis Labs shows 41% of retailers have faced increased cyber threats in the past six months, with 79% of IT decision-makers prioritizing proactive cybersecurity measures in the coming year. However, nearly half of surveyed retailers admit past breaches have left their systems inadequately secured, while 46% struggle with evolving regulatory complexities.
Security analysts, including Nir Dvorkin of Cynet Security, link the attack to Scattered Spider (UNC3944), a group known for sophisticated tactics like phishing, SIM-swapping, and help desk impersonation. The group’s methods blend social engineering with the exploitation of legitimate remote access tools, making detection difficult. Dvorkin stressed that these attacks are not opportunistic but meticulously planned to bypass defenses.
To counter such threats, experts recommend a layered defense strategy, including enforced multi-factor authentication (MFA), restricted remote access, and employee training to recognize social engineering attempts. Despite growing awareness 82% of retail employees know how to report suspicious activity only 46% of organizations claim real-time detection and response capabilities.
With high-profile groups like Anonymous, DarkSide, and APT41 posing persistent threats, the retail sector faces mounting pressure to strengthen cyber defenses. The attack on Peter Green Chilled underscores how digital threats now directly impact the physical supply of essential goods, reinforcing the need for enhanced security, training, and regulatory alignment.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
MAY 2025
100
Cyber Attack
21 May 2025 • MS
Harrods, Marks & Spencer and Co-op: M&S cyber-attack disruption to last until July and cost £300m
Marks & Spencer Prolonged Online Disruption Following Easter Cyber-Attack
100
HIGH0
HARTHEMAR1781750033
Marks & Spencer Faces Prolonged Online Disruption Following Easter Cyber-Attack
Marks & Spencer (M&S) has revealed that its online services will remain disrupted until July after a sophisticated cyber-attack last month. The retailer, which has struggled with online ordering for nearly a month, expects a gradual return to normal operations over the coming weeks.
The attack, which occurred over the Easter weekend, initially disrupted click-and-collect and contactless payment systems. By the following week, M&S had to suspend online ordering entirely, displaying an apology banner on its website. CEO Stuart Machin described the incident as a "highly sophisticated and targeted" breach, with financial analysts estimating a £300 million hit to annual profits equivalent to a third of the company’s earnings. While insurance may cover part of the loss, the impact remains significant.
Authorities are investigating Scattered Spider, a notorious English-speaking hacking group linked to previous attacks on the Co-op and Harrods. M&S appears to have suffered the most severe consequences among the targeted retailers. Despite the setback, Machin assured stakeholders that the company would emerge stronger, framing the incident as a temporary obstacle in its broader restructuring efforts.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
Cyber Attack
21 May 2025 • MS
Ocado Retail and Marks & Spencer: M&S blames ‘human error’ for cyber attack that will hit profit by £300mn
M&S Cyberattack via Third-Party Supplier
100
MEDIUM0
MAROCA1780944395
M&S Hit by Sophisticated Cyberattack via Third-Party Supplier, Disrupting Operations and Profits
UK retailer Marks & Spencer (M&S) confirmed a cyberattack that exploited social engineering tactics through a compromised third-party supplier, tricking IT staff into altering passwords and authentication processes. The company declined to name the affected supplier.
The breach forced M&S to suspend its online clothing business for over three weeks, disrupted food store stocking, and led to the theft of customer data. The attack wiped nearly £750 million off M&S’s market capitalization and is expected to reduce operating profits by £300 million this year. The retailer anticipates ongoing disruptions to online operations until July, with additional waste and logistics costs incurred.
M&S CEO Stuart Machin attributed the incident to "human error" rather than IT system vulnerabilities, stating that the company’s cyber defenses were not at fault. He confirmed that no ransom was paid and described the attack as a "highly sophisticated and targeted" event. While the breach overshadowed strong annual results including a 22% rise in pre-tax profit to £875.5 million and a 6.1% increase in sales to nearly £14 billion reported pre-tax profits fell 24% to £511.8 million, partly due to a £248.5 million impairment on its Ocado Retail stake.
M&S plans to accelerate its technology overhaul, compressing a two-year modernization timeline into six months. Despite the setback, Machin emphasized that the attack was a "bump in the road" and would not derail the company’s long-term transformation strategy. The retailer expects to offset some financial losses through insurance and cost management.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MAY 2025
100
Cyber Attack
20 May 2025 • MS
Tesco, Sainsbury’s, Waitrose, Asda, Peter Green Chilled, Morrisons, Marks & Spencer, Co-op and Aldi: Supplier to Tesco, Aldi and other supermarkets hit with ransomware
UK Food Logistics Firm Hit by Ransomware, Disrupting Major Supermarket Supply Chains
100
CRITICAL0
MARCALWAISAITOYTHEMORPET-TE1772023906
UK Food Logistics Firm Hit by Ransomware, Disrupting Major Supermarket Supply Chains
A ransomware attack on Peter Green Chilled, a key logistics provider for major UK supermarkets, has disrupted order processing for retailers including Tesco, Sainsbury’s, Asda, Waitrose, Co-op, Morrisons, M&S, and Aldi. The incident, which occurred last Wednesday, forced the Somerset-based company to suspend order handling on Thursday, though transport operations remained unaffected.
Managing Director Tom Binks confirmed the attack in an email, stating that the firm was implementing workarounds to maintain deliveries while providing regular updates to clients. While existing schedules have largely held, concerns persist among suppliers of perishable goods over potential waste due to delays.
This attack follows a recent surge in ransomware incidents targeting the UK retail sector, with Marks & Spencer, Co-op, and Harrods all experiencing disruptions in recent weeks. Phil Pluck, CEO of the Cold Chain Federation, noted a sharp rise in such attacks on food distribution networks, often unreported due to reputational risks. The cold chain sector’s tight timelines and high-volume perishable goods make it a lucrative target for cybercriminals.
Security experts warn that supply chain vulnerabilities amplify the impact of such breaches. Richard Orange of Abnormal AI highlighted the risk of follow-on attacks, including vendor email compromise, where attackers impersonate suppliers to steal credentials or redirect payments. Meanwhile, Andy Norton of Armis reported that 41% of retailers have faced increased cyber threats in the past six months, with no signs of slowing.
Peter Green Chilled has not yet provided further comment on the incident. A previous reference to Lidl as a client was retracted after the supermarket confirmed it no longer uses the firm’s services.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
MAY 2025
100
Ransomware
16 May 2025 • MS
Dior and Marks & Spencer: Dior likely hit by ransomware attack
Dior Hit by Suspected Ransomware Attack, Customer Data Exposed
100
CRITICAL0
CHRMAR1769504421
Dior Hit by Suspected Ransomware Attack, Customer Data Exposed
French luxury fashion house Dior has fallen victim to a suspected ransomware attack, with hackers gaining unauthorized access to internal servers and compromising sensitive customer data. The breach, still under investigation, appears to involve file-encrypting malware, though Dior has not confirmed whether a ransom demand was made.
The exposed data includes names, gender details, phone numbers, email and postal addresses, purchase history, and fashion preferences categorized by gender and age. While no financial information such as payment details or employee records was leaked, the stolen data poses risks for targeted phishing attacks, where cybercriminals could use personal details to craft convincing fraudulent messages.
Dior has responded by implementing security measures to contain the breach and prevent further spread of the malware. The company’s IT teams are conducting a full investigation and have committed to providing updates as new details emerge. Customers have been advised to monitor their accounts for suspicious activity, as the stolen data may be exploited in phishing schemes over the next 6 to 12 months.
The incident follows a recent wave of cyberattacks on major retail brands, including Marks & Spencer, Co-Op, and Harrods, linked to the "Scattered Spider" gang and the DragonForce ransomware group. While Dior has not attributed the attack to a specific threat actor, the breach underscores the growing focus of cybercriminals on retail data, which can be used for fraud, identity theft, or even targeted marketing by third parties.
As the investigation continues, the full impact of the breach remains unclear, though the exposure of personal details particularly shopping preferences raises concerns about long-term privacy risks.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MAY 2025
100
Ransomware
02 May 2025 • MS
Marks & Spencer (M&S)
Ransomware Attack on Marks & Spencer and Harrods by Scattered Spider
100
CRITICAL0
MAR824090225
Marks & Spencer (M&S), a leading British retail giant, suffered a ransomware attack attributed to the hacking group Scattered Spider (Octo Tempest) using the DragonForce ransomware. The attack disrupted online orders, contactless payments, click-and-collect services, and gift card processing, forcing the company to halt all digital sales—a channel generating ~£3.8M in daily revenue. The incident caused supply chain disruptions, leading to empty shelves, shortages of key products (e.g., Percy Pigs sweets), and the furlough of 200 warehouse workers. Over £700M was wiped from M&S’s market value, with shares dropping 6.5%, while recruitment froze (200+ job listings removed). The attack also triggered a Metropolitan Police investigation, though M&S has not confirmed data breaches. Systems remained offline for over a week, with no recovery timeline provided. The NCSC warned retailers to bolster cybersecurity, highlighting the attack’s severe operational and financial fallout.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
APRIL 2025
100
Cyber Attack
01 Apr 2025 • MS
Marks & Spencer, Jaguar Land Rover and Co-op Group: Almost half of UK businesses hit by cyber attacks
UK Cybersecurity Threats and AI Amplification
100
HIGH0
THEJAGMAR1777573989
UK Cybersecurity Threat Remains High as AI Amplifies Risks, Government Report Finds
The UK government’s Cyber Security Breaches Survey 2025-26 reveals persistent and severe cyber threats, with 43% of businesses, 28% of charities, and 69% of large firms reporting breaches or attacks in the past year. Nearly a third (29%) of respondents faced incidents at least weekly, underscoring the ongoing challenge.
The report arrives amid a surge in high-profile attacks, including breaches at Marks & Spencer, Co-op Group, and Jaguar Land Rover, as well as growing concerns over offensive AI. Cybersecurity minister Liz Lloyd warned that AI is sharpening the threat landscape, urging business leaders to prioritize defenses. In response, the government has targeted over 180 major UK companies with a call to adopt the upcoming Cyber Resilience Pledge a voluntary initiative requiring board-level accountability, enrollment in the NCSC’s free Early Warning service, and Cyber Essentials certification across supply chains.
While some trends show improvement ransomware attacks dropped to 1% from 3% the prior year, and phishing incidents fell to 38% from 42% in 2023-24 phishing remains the most common and disruptive threat. Impersonation attacks also declined, affecting 12% of businesses (down from 17% in 2023-24) and fewer charities. However, the financial and reputational fallout of breaches has worsened: 5% of businesses reported revenue or share value losses (up from 2%), while reputational damage rose to 3% from 1%.
The survey highlights a paradox: while defenses may be strengthening in some areas, attackers are leveraging AI to refine tactics, keeping pressure on organizations across sectors.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
Cyber Attack
01 Apr 2025 • MS
Marks & Spencer (M&S)
Marks & Spencer (M&S) Cyberattack via Third-Party Vendor (TCS) Leading to £300M Loss and Contract Termination
100
CRITICAL0
MAR3792037102625
British retail giant Marks & Spencer (M&S) suffered a devastating cyberattack in April 2025, orchestrated by the Scattered Spider group via third-party vendor impersonation, exploiting credentials from TCS help-desk employees. The breach forced M&S to shut down its online shopping platform, suspend click-and-collect services, and disrupt supply chain operations, leading to empty shelves in physical stores. The financial impact was severe, with £300 million in lost operating profit and £1 billion wiped from market capitalization. The attack damaged M&S’s reputation, eroded customer trust, and prompted the termination of its long-standing IT support contract with TCS. The incident underscored vulnerabilities in outsourced vendor access, social engineering risks, and supply chain cybersecurity, causing operational paralysis and competitive disadvantage as rivals gained market share during the outage.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Ransomware
01 Apr 2025 • MS
Marks & Spencer and Jaguar Land Rover: Over 300 UK Firms Hit by Ransomware in a Year
UK SMEs Hit Hardest as Ransomware Attacks Surge in 2025-26
100
CRITICAL0
MARJAG1782807847
UK SMEs Hit Hardest as Ransomware Attacks Surge in 2025-26
UK organizations faced an average of 26 successful ransomware attacks per month between April 2025 and March 2026, with small and mid-sized enterprises (SMEs) bearing the brunt of the impact. According to data from Report Fraud, a cybercrime and fraud reporting service operated by City of London Police, 323 corporate victims reported incidents during the period over half of which were SMEs.
Financial losses from these attacks rose sharply, increasing 50% year-on-year to approximately £270,000 ($357,000) per incident. However, authorities acknowledge this figure is likely an underestimate, as many businesses do not disclose the full extent of their losses. Among sectors that identified themselves, manufacturing reported the highest number of attacks (42), followed by scientific and technical services (21) and education (19).
The UK’s ransomware crisis escalated in 2025, with high-profile breaches at companies like Marks & Spencer, Co-op Group, and Jaguar Land Rover. The attack on Jaguar Land Rover was attributed to Russian hackers, with experts suggesting the motive may have been sabotage rather than financial gain.
Despite the rising threat, reporting remains inconsistent. Security experts, including Talion CEO Kevin Knight, warn that paying ransoms is often ineffective, as attackers frequently fail to return data in usable form or at all. Meanwhile, the UK government continues to debate mandatory ransomware reporting and a potential ban on payments for public sector and critical infrastructure organizations. Until such measures are implemented, the true scale of the problem will likely remain obscured.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
JANUARY 2025
497
Breach
01 Jan 2025 • MS
Harrods and Marks & Spencer: Account Recovery Becomes a Major Source of Workforce Identity Breaches
Account Recovery Workflows Exploited in Identity Breaches Targeting U.K. Retailers
100
CRITICAL-397
HARMAR1773319278
Cybersecurity Alert: Account Recovery Workflows Become Prime Target for Identity Breaches
In 2025, a wave of cyberattacks targeting major U.K. retailers including Marks & Spencer, Harrods, and the Co-op Group exposed a critical vulnerability in identity security: account recovery workflows. Despite robust multi-factor authentication (MFA) and phishing-resistant controls at login, attackers bypassed protections by exploiting password resets, MFA re-enrollment, and help-desk recovery requests through social engineering.
The incidents revealed a systemic flaw: recovery processes are rarely treated as high-risk security events. Designed for speed and convenience, these workflows rely on outdated assumptions such as trust in human judgment, static knowledge-based questions, and unsecured communication channels that are easily manipulated by modern attackers. AI-driven impersonation, synthesized voices, and stolen credentials now allow threat actors to convincingly mimic legitimate users, making deception nearly undetectable for help-desk staff.
While MFA is widely adopted, its effectiveness collapses during recovery. Many organizations require minimal verification to reset MFA, allowing attackers to sidestep authentication entirely. The result? Breaches where MFA was technically "enabled" but functionally useless, as compromised recovery flows undermine downstream security controls.
The root issue lies in identity assurance being treated as disposable. Onboarding may involve rigorous verification, but recovery often reconstructs trust using weaker signals such as email links or scripted questions rather than referencing the original proofing process. This creates a paradox: the path to regaining access is easier than the path to maintaining it.
To counter this, experts argue recovery workflows must be designed for adversarial conditions. High-risk actions should trigger step-up verification, and self-service resets must preserve identity assurance rather than weaken it. Without these changes, attackers will continue to exploit recovery as the weakest link in identity security bypassing strong authentication without ever directly attacking it.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Ransomware
01 Jan 2025 • MS
Marks & Spencer and Colonial Pipeline: What Is Ransomware, and How Did It Get So Big?
Ransomware as a Persistent Global Threat
100
HIGH-397
MARCOL1772024134
Ransomware Remains a Persistent Global Threat Despite Government Efforts
Since 2021, governments worldwide particularly the U.S. have elevated ransomware to a national security priority, issuing executive orders, convening summits, and imposing indictments and sanctions to combat the growing cyber threat. Yet, four years later, ransomware continues to disrupt critical sectors, including retail, manufacturing, healthcare, and education, with attacks persisting into 2025.
The enduring appeal of ransomware for cybercriminals lies in its lucrative and low-risk nature. By deploying malicious software to encrypt victims’ files, attackers demand payment in exchange for decryption keys, often crippling operations. High-profile incidents, such as the 2021 Colonial Pipeline attack that disrupted U.S. fuel supplies, underscore the far-reaching consequences of these breaches. In the same year, British retailer Marks & Spencer suffered a £300 million financial hit from a cyberattack.
Despite heightened government action, the ransomware epidemic shows no signs of abating, as cybercriminals exploit vulnerabilities in global digital infrastructure for profit. The threat remains a defining challenge for businesses and organizations worldwide.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Ransomware
01 Jan 2025 • MS
Asahi, Jaguar Land Rover and Marks & Spencer: Why Ransomware Remains One of Cybersecurity’s Most Persistent Threats
Ransomware Attacks Escalate in 2026: Rising Costs, Evolving Tactics, and Persistent Vulnerabilities
100
CRITICAL-397
MARASAJAG1771331989
Ransomware Attacks Escalate in 2026: Rising Costs, Evolving Tactics, and Persistent Vulnerabilities
Ransomware remains one of the most disruptive cybersecurity threats in 2026, with attacks growing in scale, sophistication, and financial impact. The average ransom demand has surged to $1.3 million, with over half of payments exceeding $1 million a stark increase from the sub-$1,000 demands of a decade ago. Even when victims refuse to pay, the long-term operational and financial damage can be severe, as seen in high-profile incidents affecting Jaguar Land Rover, Marks & Spencer, and Asahi in 2025.
### Why Ransomware Persists and Worsens
Despite being a known threat for years, ransomware attacks are more disruptive than ever due to a combination of poor cyber hygiene, expanding attack surfaces, and AI-driven tactics.
#### 1. Exploiting Basic Security Failures
Most ransomware attacks succeed by targeting unpatched vulnerabilities, weak or reused passwords, and missing multi-factor authentication (MFA). Excessive user permissions further enable attackers to move laterally across networks undetected. As Etay Maor of Cato Networks noted, "Over 80% of attacks stem from misconfigured or unpatched systems" highlighting that the root issue lies in preventable security gaps.
#### 2. Complex IT Environments Expand the Attack Surface
Modern enterprise networks spanning cloud infrastructure, AI tools, and remote work systems have grown increasingly difficult to secure. Misconfigured deployments, such as improperly secured AI chatbots or cloud suites, create new entry points for attackers. Cybercriminals also exploit legitimate accounts, making malicious activity harder to detect until it’s too late.
#### 3. Social Engineering and AI Amplify Threats
Attackers are increasingly using social engineering to bypass security controls. Techniques like ClickFix, which tricks users into running malicious scripts via fake error messages, allow cybercriminals to evade defenses with minimal effort. Meanwhile, AI has lowered the barrier for attackers, enabling them to:
- Generate customized phishing lures at scale.
- Deploy deepfake audio/video to impersonate executives or IT staff.
- Automate ransomware development, allowing even low-skilled threat actors to launch sophisticated attacks.
#### 4. The Ransom Payment Dilemma
The persistence of ransomware is fueled by victims paying ransoms, which funds further attacks. As Gavin Millard of Tenable warned, "Paying ransoms only enables attackers to invest in faster, more scalable ransomware operations." Instead, organizations are urged to focus on prevention, incident response, and disaster recovery to break the cycle.
### The Path Forward: Prevention Over Payment
Experts emphasize that stronger security fundamentals such as patching vulnerabilities, enforcing MFA, and monitoring for unusual account activity can significantly reduce ransomware risks. However, the challenge remains in securing board-level investment for proactive measures, as the cost of prevention is far lower than the fallout of an attack.
With ransomware showing no signs of slowing, the battle hinges on closing security gaps before attackers exploit them not just reacting after the damage is done.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2024
525
Cyber Attack
25 Dec 2024 • MS
SolarWinds, Kaseya, MoveIt Transfer, PowerSchool, DaVita, NASCAR, Marks & Spencer, Caesars Entertainment and Change Healthcare: Ransomware trends, statistics and facts in 2026
Ransomware Trends and High-Profile Attacks (2024-2025)
495
CRITICAL-30
DAVCAECHAPOWKASFILMARSOLNAS1770898846
Ransomware in 2025–2026: Evolving Threats, Rising Costs, and High-Profile Attacks
Ransomware remains a critical threat to governments, businesses, and critical infrastructure, disrupting healthcare, fuel distribution, retail, and identity security. Financial and operational impacts have intensified, with attackers refining tactics to maximize damage and extortion.
### Key Ransomware Trends
1. Supply Chain Attacks – Threat actors increasingly target software vendors to compromise multiple downstream victims. Notable incidents include:
- 2023 MoveIt Transfer breach (Clop ransomware gang)
- 2021 Kaseya attack (1,500+ MSP customers affected)
- 2020 SolarWinds hack
2. Triple Extortion – Beyond encrypting data and threatening leaks, attackers now demand payment to prevent additional attacks. The Vice Society group used this tactic in its 2023 attack on San Francisco’s BART system. Leading ransomware groups like LockBit 5.0 now use private negotiation portals for targeted extortion.
3. Ransomware-as-a-Service (RaaS) – Cybercriminals lease pre-built ransomware tools and infrastructure, lowering the barrier to entry for attacks.
4. Exploiting Unpatched Systems – While zero-day vulnerabilities draw attention, most ransomware exploits known flaws in outdated software.
5. Phishing & AI-Driven Attacks – Phishing remains a primary infection vector, while generative AI enhances social engineering lures, reconnaissance, and attack automation.
### Ransomware by the Numbers (2025)
- 44% of breaches involved ransomware (Verizon 2025 DBIR), a 37% increase from 2024.
- 88% of SMB breaches included ransomware, compared to 39% in large enterprises.
- 34% rise in attacks in the first three quarters of 2025 (Total Assure).
- 5,010 U.S. incidents in the first 10 months of 2025 a 50% increase from 2024 (Cyble).
- 85% of attacks go unreported (BlackFog).
- Median ransom payment: $267,500 (Palo Alto Networks 2025).
- Average ransom payment: $1 million (Sophos 2025), down from $2 million in 2024.
- Average insurance claim: $292,000 (Coalition 2025), a 7% decrease from 2024.
### Notable 2024–2025 Ransomware Attacks
- PowerSchool (Dec. 2024) – Exposed data of 62M students and 9.5M teachers across North America.
- Yale New Haven Health (Mar. 2025) – Compromised 5.6M patient records; settled a class-action lawsuit for $18M.
- NASCAR (Apr. 2025) – Medusa ransomware gang stole 1TB of data and demanded $4M.
- DaVita (Apr. 2025) – 2.7M patients’ health data exposed by Interlock ransomware.
- Marks & Spencer (May 2025) – Pay2Key ransomware disrupted operations, contributing to a 90% profit drop.
- Ingram Micro (Jul. 2025) – SafePay ransomware caused service disruptions and revenue losses.
- Change Healthcare (2024) – Initially reported 100M+ victims; revised to 193M by mid-2025.
- LoanDepot (2024) – Attack disrupted loan services for 16.6M customers.
- MGM Resorts & Caesars Entertainment (2023) – High-profile attacks crippled Las Vegas casino operations.
### Future Ransomware Predictions
- AI-Powered Automation – Attacks will become faster, more persistent, and harder to detect (Trend Micro).
- Voice-Based Vishing – AI-generated calls will rise as a social engineering tactic (Zscaler).
- Encryption-Free Extortion – More groups will skip encryption, relying solely on data theft threats (SentinelOne).
- GenAI-Enhanced Phishing – AI will enable more convincing, large-scale phishing campaigns.
Ransomware shows no signs of slowing, with attackers leveraging AI, supply chain vulnerabilities, and multi-layered extortion to escalate both frequency and impact.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2024
498
Cyber Attack
16 Jun 2024 • MS
Marks and Spencer (M&S)
Cybersecurity Breach Involving Marks and Spencer (2024) and Scattered Spider Attacks (2023-2024)
471
CRITICAL-27
MAR5032050110325
Marks and Spencer (M&S), a high-profile British retailer, suffered a cybersecurity breach in early 2024, as referenced in the article. The attack, attributed to an organized group like Scattered Spider, likely involved data compromise and reputational damage. While specifics of the breach (e.g., type of data stolen, financial loss, or operational disruption) were not detailed, the article highlights the company’s proactive crisis response: the CEO issued timely digital communications to maintain customer trust and regulatory compliance. The incident underscores the financial and reputational risks of modern cyber threats, particularly for large enterprises. M&S’s rapid transparency—addressing stakeholders within days—suggests the breach may have involved customer data exposure or financial fraud risks, though no ransomware was explicitly mentioned. The attack aligns with broader trends of targeted campaigns against retail and critical infrastructure, emphasizing the need for robust backup systems, incident response plans, and C-suite accountability in cyber resilience.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
FEBRUARY 2024
711
Ransomware
01 Feb 2024 • MS
Marks and Spencer
Cyber Attack on Marks and Spencer
463
CRITICAL-248
MAR847071225
A damaging cyber-attack on retailer Marks and Spencer in the UK in April last year has caused a great loss in revenues, with a £300 million ($403 million) operating profit loss, as its online business was taken offline for seven weeks, and is being rebuilt in stages with the process not yet complete 14 months later. The attack was enabled by a DragonForce ransomware group hacker impersonating an employee, reportedly at M&S contractor Tata Consultancy Services, and gaining unauthorized system access via the M&S help desk. Reports indicate the breach began as early as February 2024, when hackers stole the Windows domain’s NTDS.dit file, containing password hashes for domain users. By cracking these hashes, they accessed the network and deployed ransomware to encrypt virtual machines, disrupting services like contactless payments, click-and-collect, and online ordering.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
JUNE 2023
797
Ransomware
16 Jun 2023 • MS
Marks & Spencer (M&S)
Cyber Attack on Co-op Group and Ongoing Ransomware Incident at Marks & Spencer (M&S)
700
CRITICAL-97
MAR1662016090825
Marks & Spencer (M&S), one of Britain’s most prominent retailers, suffered a ransomware attack attributed to the hacking collective Scattered Spider using the DragonForce encryptor. The attack forced M&S to shut down critical systems, including its website and app, halting clothing and home orders for six days during peak summer demand. Some food product availability was also disrupted in stores. The incident caused operational outages, financial losses from lost sales, and reputational damage during a high-revenue period. Cybersecurity experts noted the group’s aggressive tactics, including phishing, MFA bombing, and SIM swapping, targeting IT help desks. The attack aligns with Scattered Spider’s history of high-profile ransomware campaigns, such as those against Caesars Entertainment and MGM Resorts in 2023. The National Cyber Security Centre (NCSC), National Crime Agency (NCA), and Metropolitan Police’s Cyber Crime Unit are investigating, underscoring the attack’s severity and potential broader economic impact on the UK retail sector.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JANUARY 2023
795
Cyber Attack
01 Jan 2023 • MS
HSBC, Nationwide, Barclays, Lloyds, Marks & Spencer and Co-op: Cyber-attack threat keeps me awake at night, bank boss says
UK Banking Sector Faces Relentless Cyber Threats and IT Failures
765
CRITICAL-30
THEBARHSBLLONATMAR1774391436
UK Banking Sector Faces Relentless Cyber Threats as IT Failures Disrupt Services
The UK’s financial sector is grappling with escalating cybersecurity risks and frequent IT outages, with bank executives warning of the severe consequences for market stability and public trust. Speaking before the Commons Treasury Committee, HSBC UK CEO Ian Stuart emphasized that cybersecurity is "top of the agenda" for his group, describing the financial burden of defending against attacks as "enormous." HSBC alone is investing hundreds of millions of pounds to bolster its IT systems, reflecting a broader industry trend.
Cybersecurity experts, including Prof Oli Buckley of Loughborough University, described attacks on financial institutions as "relentless" and "increasingly sophisticated," with criminals monetizing breaches more efficiently than ever. Lisa Forte of Red Goat Cyber Security noted that Stuart’s concerns underscored a critical vulnerability: businesses should now assume an attack is a matter of when, not if.
The impact of IT failures has been stark. Between January 2023 and February 2024, nine major UK banks and building societies including Barclays, Lloyds, Nationwide, and HSBC experienced 158 IT outages, totaling 803 hours (33 days) of disruption. In January, a Barclays outage on payday left customers unable to access funds, while February saw further outages affecting 1.2 million people. Though Barclays UK CEO Vim Maru apologized for the disruptions, he confirmed no evidence of a cyberattack or malicious intent.
Beyond financial institutions, retailers like Co-op and Marks & Spencer have also faced severe disruptions from cyber incidents, highlighting the cross-sector nature of the threat. Bank executives, including Stuart, admitted the risks keep them "awake at night," with one describing the constant barrage of attacks as a daily reality.
The Treasury Committee’s inquiry into banking resilience underscores the urgency of addressing these vulnerabilities, as failures ripple beyond individual accounts eroding confidence in the financial system itself.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for MS ??
What was MS's A.I Rankiteo Cyber Score in June 2026 ??
What was MS's A.I Rankiteo Cyber Score in May 2026 ??
What was MS's A.I Rankiteo Cyber Score in April 2026 ??
What was MS's A.I Rankiteo Cyber Score in March 2026 ??
What was MS's A.I Rankiteo Cyber Score in February 2026 ??
What was MS's A.I Rankiteo Cyber Score in January 2026 ??
What was MS's A.I Rankiteo Cyber Score in December 2025 ??
What was MS's A.I Rankiteo Cyber Score in November 2025 ??
What was MS's A.I Rankiteo Cyber Score in October 2025 ??
What was MS's A.I Rankiteo Cyber Score in September 2025 ??
What was MS's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on MS's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with MS ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view MS's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?