Marks & Spencer Had 70 Days to Stop the Attack. They Didn't Know It Was Happening.

Case Study Ransomware

June 2026 · 8 min read

In February 2025, attackers walked into Marks & Spencer's network using social engineering against a service desk. For 70 days they moved through the system, stole the password database for every domain user, and exfiltrated customer data — before deploying ransomware that shut down online shopping for nearly seven weeks and cost the company $409 million. Here are the five things every business with a payment system needs to know.

Marks & Spencer is one of Britain's most recognizable brands — 64,000 employees, 1,049 stores, a household name for 141 years. In the spring of 2025 it became the most expensive ransomware victim in British retail history.

The attack didn't start in April when the ransomware deployed. It started in February — two months earlier — when attackers called M&S's IT service desk, posed as an employee, and used social engineering to get their first foothold. For the next 70 days they were inside the network. Quietly. Moving laterally. Stealing the file that contains the password hashes for every single user in the Windows domain. Exfiltrating customer data. Setting up the conditions for a ransomware deployment that would encrypt M&S's virtual machines and bring online shopping to a halt for nearly seven weeks.

The attackers were Scattered Spider affiliates deploying DragonForce ransomware. They infiltrated M&S's IT systems as early as February, causing a five-day suspension of online sales averaging £3.8 million ($5.1 million) in daily losses, and a more than £500 million ($668 million) drop in the company's stock market value.

$409M expected impact on operating profit — M&S's own estimate filed with the London Stock Exchange M&S LSE filing / SecurityWeek, May 2025

70 days attackers were inside M&S's network before deploying ransomware — undetected the entire time CM-Alliance / Specops timeline, 2025

7 weeks M&S online shopping suspended — £40 million per week in lost sales during the outage BitDefender / Yahoo Finance, 2025

⚠️ US retailers: you are next Google's Threat Intelligence Group warned in May 2025 that DragonForce — the same ransomware-as-a-service group behind the M&S attack — has begun actively targeting US retailers using the same social engineering playbook. The Co-op and Harrods were also hit in the same campaign. If you operate retail, hospitality, or any business with a payment system and online orders, this is not a UK story.

What actually happened — the 70-day timeline

M&S Attack Timeline — February to July 2025

Feb 2025 Initial access via social engineering. Scattered Spider affiliates called M&S's IT service desk posing as an employee requesting a password reset or account access. The service desk complied. The attackers were inside. M&S had no idea.

Feb–Apr 70 days of silent lateral movement. The attackers located and exfiltrated the NTDS.dit file — the Active Directory database containing password hashes for every domain user. By cracking those hashes, they obtained credentials for the entire organization. Customer data was also exfiltrated. No alerts fired. No detection occurred.

Late Apr DragonForce ransomware deployed across virtual machines. With full domain credentials, attackers encrypted M&S's virtual infrastructure. Online clothing orders stopped. Food availability dropped. Payment systems disrupted. M&S switched off its staff VPN to slow the spread — further disrupting operations. M&S didn't hear from the attackers for approximately one week.

May 13 M&S confirms customer data breach. Names, addresses, email addresses, phone numbers, dates of birth, online order history, and partial payment card data confirmed exposed. Class action investigations begin.

May 22 M&S files $409M impact estimate with London Stock Exchange. Online disruption expected through June and into July. £40 million per week in lost sales. Stock price down 12%+. Cyber insurance claim of up to £100 million reportedly pursued.

Jul 2025 M&S Chairman Archie Norman confirms DragonForce to UK Parliament. "We didn't hear from the threat actor for about a week after it penetrated our systems," he told the Business and Trade Committee. Google simultaneously warns US retailers: the same group is now targeting them.

The attack began with a phone call to an IT service desk. No malware. No zero-day. No sophisticated technical exploit. The same technique that hit Cushman & Wakefield, Allianz Life, and 100+ other organizations. A service desk employee reset a password or granted access to someone who asked convincingly. From that single phone call, the attackers had 70 undetected days to dismantle one of Britain's largest retailers from the inside.

The five lessons for every business with a payment system

The ransom is never the cost — the disruption is

$409M lesson

M&S's $409 million impact wasn't the ransom payment — M&S has never confirmed paying any ransom. The $409 million is lost operating profit from seven weeks of disrupted operations: food sales losses, additional waste and logistics costs, and the near-total suspension of online clothing orders averaging £3.8 million per day.

For an SMB, the equivalent isn't seven weeks of £3.8 million losses. It's seven days of no online orders, no payment processing, and no way to serve customers while systems are rebuilt. The proportion is identical. Only the scale differs.

For your business Calculate what one week of complete operational disruption costs your business. Lost revenue, staff time on recovery, emergency IT costs, notification costs, customer churn. That number — not the ransom figure — is your actual ransomware exposure.

Your IT service desk is your most exploitable entry point

Service desk risk

The M&S attack started with a call to the IT service desk. The Cushman & Wakefield attack started with a call to IT support. The Allianz breach started with a call to a vendor's support team. In every case, the entry point wasn't a technical vulnerability — it was a human process with no verification requirement.

IT service desks are designed to be helpful. Without a verification protocol — a callback process, a ticket requirement, an identity confirmation step — your service desk will give access to anyone who asks convincingly.

For your business If your IT support can reset passwords or grant access based on a phone call without a verification step, you have the same gap M&S had. The fix: no password resets or access changes without a verified ticket, a callback to a known number, or an in-person confirmation. Write the policy today. It costs nothing.

NTDS.dit — the one file that gives attackers everything

Active Directory

Once inside M&S's network, the attackers exfiltrated the NTDS.dit file — the Active Directory database containing the password hashes for every single user in the Windows domain. With that file, they could crack credentials for every account: standard users, IT administrators, system accounts, service accounts with elevated privileges. Every door in the building was now unlocked.

For your business If your business uses a Windows domain, ask your IT provider: who has access to your domain controller? When was that access last reviewed? Are there alerts for unusual Active Directory queries or bulk credential exports? These questions, had M&S asked them, would have caught the attack during its 70-day dwell period.

70 days undetected means your monitoring has a gap

Detection gap

For 70 days, attackers moved through M&S's systems, exfiltrated the domain password database, stole customer data, and prepared ransomware deployment — and nothing reached a human who acted on it. IBM's 2025 research documents the average credential breach detection time at 292 days. M&S at 70 days was better than average. Better than average still meant $409 million.

For your business Three signals that would have flagged the M&S attack during its dwell period: bulk Active Directory queries, large file transfers to external destinations, and accounts accessing systems they don't normally access. Ask your IT provider whether these signals are monitored and whether there's a documented response when they fire.

Ransomware recovery isn't a technical problem — it's a business continuity problem

Recovery planning

M&S's recovery wasn't limited by its ability to decrypt files. It was limited by its ability to rebuild and restore complex infrastructure across 1,049 stores, multiple fulfilment systems, and an online platform. Seven weeks to restore online shopping isn't a technical timeline — it's a business complexity timeline.

For an SMB: if your systems were encrypted tonight, how long would it take to be operational again? Not how long to restore from backup — how long until you could take an order, process a payment, and serve a customer. For most SMBs who haven't tested recovery, the answer is longer than their business can sustain.

For your business A 30-minute tabletop conversation with your IT provider about what happens if your systems are encrypted tomorrow is the most underutilized preparedness action available to SMBs. It costs nothing. It surfaces dependencies, gaps, and recovery timelines you didn't know existed.

Google's Threat Intelligence Group issued an explicit warning: DragonForce and its affiliates are now actively targeting US retailers with the same social engineering playbook. The campaign has already hit Co-op, Harrods, and multiple other organizations. If you operate any business with a payment system, an IT service desk, or online orders — the threat actor that cost M&S $409 million has your industry in its sights.

The question M&S couldn't answer for 70 days

The most important thing about the M&S attack isn't the $409 million, or the seven weeks of disrupted shopping, or the customer data stolen. It's the 70 days. For 70 days, a sophisticated attacker moved through one of Britain's most recognizable companies — with credentials for every user in the domain, with access to customer data, with the infrastructure mapped and the ransomware ready — and the company had no idea.

The question isn't whether your business could survive a $409 million hit. It's whether your business would know, within 70 days, that an attacker was inside. For most SMBs the honest answer is no. The DBIR puts the average at 292 days. M&S at 70 was better than average. Neither is acceptable. And neither requires a sophisticated attacker to achieve. It requires a phone call and a service desk employee doing their job.

The Veriti Spottr CyberScore's Exposure component catches the external signals that precede attacks like the one on M&S — credential exposures in breach databases that enable password hash cracking, configuration gaps that allow lateral movement, and attack surface signals that flag elevated risk before an attacker makes the call. The M&S attack was preventable at step one. A service desk verification policy and phishing-resistant MFA on all domain accounts breaks the chain at the point of initial access. Both are policy changes, not product purchases.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Know what's in your network before an attacker spends 70 days finding out. Veriti Spottr's beta is free.

Get your CyberScore →

Veriti Spottr Team AI-powered cyber risk clarity for SMBs · veritispottr.com

Search This Blog

The Veriti Spottr Cybersecurity Brief