Trading Stops. Phones Light Up. Your Name Trends For The Wrong Reason.
You run a business. Or you are the one everyone calls when the lights go out. Picture this: tills freeze at lunchtime, Click & Collect stops, angry customers queue, and your board wants answers now. In April 2025, this was not a drill for Marks & Spencer. It was a real ransomware incident that halted online orders, disrupted stores, and exposed customer data. The facts that follow are verifiable and linked. The fixes are practical and proven.
Real case, real numbers
Marks & Spencer disclosed a major cyber incident on 22 April 2025. Online clothing and home orders were fully suspended on 25 April, partial deliveries resumed on 10 June, and Click & Collect returned 15 weeks after the hack on 11 August 2025. The company guided to an operating profit hit of about £300 million. All of this is on the record in Reuters, 13 May, Reuters, 21 May, and Reuters, 11 Aug.
How the attackers got in
Investigators and the company’s chair described a social-engineering route. Attackers impersonated staff and convinced a third-party help desk to reset credentials, creating a valid foothold. This aligns with public briefings urging UK firms to tighten help desk verification after the M&S and Co-op incidents. See Reuters, 6 May, plus technical analysis summarised by Specops.
Who was behind it
M&S told UK lawmakers the attack was carried out by a group known as DragonForce. That statement, and the timeline of disruption, is reported in Reuters, 8 July. Industry coverage on the group’s methods is captured by ITPro and Bitdefender.
What was actually stolen
M&S confirms that personal customer data was taken. Contact details, date of birth and online order history may be involved. Importantly, the company states that payment card details and account passwords were not included. See the official M&S Cyber Update and corroborating reports in Reuters and Infosecurity Magazine.
Did they pay a ransom
The company declined to comment on ransom questions. That position is recorded in Reuters, 21 May. The absence of a definitive public leak does not prove payment. Treat any claims beyond this as speculation.
What it cost in the real world
The cyberattack is expected to reduce operating profit by about £300 million in FY25/26. Online trade was interrupted for weeks. Customers could not place orders for extended periods. Competitors benefited. Facts and dates are set out by Reuters, 21 May and Reuters, 11 Aug.
On the shop floor and behind the scenes
Contemporary reporting described loss of contactless payment and Click & Collect functions, and processes moved offline to contain risk. See the timeline compiled by Computer Weekly. Leadership changes followed in September 2025, covered by Computer Weekly.
What this means for you
If a help desk can be tricked at a household-name retailer, it can be tricked anywhere. If online orders can stop for seven weeks at scale, imagine the impact on a smaller operation with fewer buffers. The lesson is simple. Prevention matters. So does recovery you can trust.
Four controls that change outcomes
1. Immutable, isolated backup. Backups that live on your network are not backups. Ransomware encrypts or deletes them. You need object-lock or air-gapped copies that malware cannot touch, with fast restore paths for your critical services. If this had been in place everywhere, recovery windows would likely have been measured in hours, not weeks. Start with ransomware-resilient cloud backup.
2. Help desk verification that cannot be faked. Require step-up checks for any password reset or privilege action. Record sessions. Limit standing admin rights. The NCSC urged firms to review these processes in the wake of the M&S and Co-op attacks, as reported by Reuters, 6 May. See how we harden identity and endpoints with Endpoint and Identity Hardening.
3. Live threat intelligence tied to actions. DragonForce and copycats telegraph their methods. Monitoring actor tactics and pre-briefing your teams turns unknowns into a checklist. Learn more about Threat Intelligence.
4. Rehearsed incident response and clean rebuilds. The difference between chaos and control is a tested playbook: isolate, investigate, restore, verify. Practise the order of operations and communications before you need them. See Incident Response Readiness.
The quiet sales funnel you actually need
You do not need fear. You need certainty. The M&S timeline shows what happens without immutability, tight access controls and a drilled recovery. Your path is clear:
Make your backups untouchable. Train and test your help desk. Segment identity and privilege. Practise the restore. If you want help, we build this every day. Explore Resilient Cloud Backup, Endpoint and Identity Hardening, Threat Intelligence, and Incident Response Readiness.
Reference facts for your board pack
Attack confirmed and online orders suspended: Reuters, 13 May. Estimated £300m operating profit impact and disruption into July: Reuters, 21 May. Help desks duped via impersonation; review advised: Reuters, 6 May. Customer data types and what was not taken, from the source: M&S Cyber Update. Click & Collect restored after 15 weeks; competitors benefited: Reuters, 11 Aug. Attribution statements regarding DragonForce: Reuters, 8 July. Service disruption detail and recovery context: Computer Weekly. Leadership change following the attack: Computer Weekly. Additional technique context: Specops, ITPro, Bitdefender.
Your move
You cannot outsource responsibility. You can outsource the grind. If you want us to make your backups immutable, your identity controls hard, your playbook real, start here: Start resilient backup. Or if you prefer a quiet conversation first, ask a question. We keep you trading. We keep you calm.