The M&S DragonForce Attack One Year On: What a Phone Call to IT Support Cost a Billion-Pound Retailer
The damning fact Marks and Spencer hoped the public would forget: the most expensive cyber attack in UK retail history started with a phone call.
Not a zero-day exploit. Not custom malware. Not a nation-state actor deploying advanced persistent threats. A group of predominantly English-speaking hackers picked up the phone, called the IT helpdesk, and talked their way to a password reset. From that single foothold, they dismantled a billion-pound retailer’s operations for nearly two months.
One year on from the Easter weekend 2025 attacks, the full cost is now visible, and it is worse than the initial estimates suggested. This case study examines what happened, why it happened, and what it means for every UK business that relies on an IT helpdesk to manage access.
Timeline: How It Happened
Easter Weekend 2025 (19-21 April). Customers across the UK began experiencing problems in M&S stores. Contactless card payments failed. Click and Collect orders could not be fulfilled. At the time, the company acknowledged “technical issues” without disclosing the cause.
Late April 2025. M&S confirmed it was managing a cyber incident. Online shopping was suspended entirely. The company’s automated ordering and stock management systems were taken offline, forcing staff to revert to manual pen-and-paper tracking for fresh food and clothing supply chains. Shelves in stores across the country began emptying.
Early May 2025. Co-op and Harrods disclosed they had also been targeted. The attacks shared timing, a common threat actor, and the same techniques. Representatives of the DragonForce ransomware-as-a-service operation claimed responsibility, with links to Scattered Spider and The Com, overlapping English-speaking hacking collectives.
13 May 2025. M&S confirmed that customer personal data had been compromised: names, dates of birth, residential and email addresses, phone numbers, household details, and online purchase histories. The company stated that payment card details and account passwords were not affected and that it was resetting customer account passwords.
10 June 2025. M&S resumed online orders for some clothing lines after a 46-day suspension.
Ongoing. M&S warned investors that the incident would likely shave approximately £300 million off annual profit. The company’s market value dropped by over £700 million in the weeks following disclosure.
The Attack Vector: Social Engineering a Helpdesk
The initial access method is the detail that matters most for small businesses.
M&S’s IT helpdesk was operated by Tata Consultancy Services. According to reporting by the BBC and multiple security researchers, the attackers impersonated internal IT staff and manipulated helpdesk operators into resetting credentials or granting access. This is classic social engineering: the attacker does not break through the door, they convince someone to open it.
Scattered Spider are known for exactly this approach. They have previously been linked to high-profile attacks on MGM Resorts and Caesars Entertainment in the United States using the same method: calling helpdesks, impersonating employees, and obtaining password resets.
Once inside, the attackers used the double extortion playbook. They spent time moving laterally through the network, harvesting sensitive data before deploying ransomware. By the time the encryption hit, the customer data was already exfiltrated.
The Cost: Beyond the Numbers
The Cyber Monitoring Centre classified the M&S and Co-op attacks as a single Category 2 systemic event with total estimated losses between £270 million and £440 million.
The financial breakdown is striking. M&S reported estimated losses of approximately £40 million per week during the period of maximum disruption. Online sales losses alone reached an estimated £1.3 million per day before limited service resumed. Consumer spending reportedly dropped 22% at M&S and 11% at Co-op during the affected period.
But the financial figures do not capture the operational reality. M&S, a company with 65,000 staff and over 1,400 stores, was forced to run its supply chain manually for weeks. Rural areas that depend on Co-op as their primary food retailer experienced noticeable disruption. Supplier relationships were strained by delayed orders and payments.
What This Means for Small Businesses
The temptation when reading about an attack on a FTSE 100 company is to think it is irrelevant to a 20-person business. That is the wrong conclusion.
The attack vector scales down perfectly. If your IT provider or internal team resets passwords based on a phone call without verifying the caller through a separate channel, you are vulnerable to the same technique. The size of your business does not matter. The size of the gap in your verification process does.
Outsourced IT creates shared risk. M&S outsourced its helpdesk to TCS. The compromise came through that outsourced function. If you outsource IT support, your provider’s verification procedures are your verification procedures. Have you ever asked your IT provider: “What is your process for verifying identity before resetting a password or granting access?” If the answer is anything other than a defined callback procedure to a registered number, you have a problem.
The helpdesk is the new perimeter. Traditional security focuses on firewalls, endpoint protection, and network segmentation. Those controls are necessary but insufficient when the attacker bypasses all of them by persuading a human being to let them in. Social engineering attacks exploit trust, not technology.
Double extortion means data theft comes first. If ransomware is deployed, the data has already been stolen. The encryption is the visible damage. The exfiltration is the strategic damage. For any business handling customer data, this means that even if you have good backups and can recover operations, the data breach has already occurred.
Three Checks to Do This Week
Check 1: Helpdesk verification process. Call your IT provider and ask them to describe their procedure for verifying identity before performing a password reset, MFA change, or access grant. The correct answer involves a callback to a registered phone number or a verification step through a separate authenticated channel. If the answer is “we ask the caller to confirm their email address and date of birth”, that is not verification. That is information available in any data breach.
Check 2: Mail forwarding audit. Log into your email admin console and check whether any accounts have mail forwarding rules that redirect to external addresses. Attackers commonly set up silent forwarding after compromising an account. In Microsoft 365, check the Exchange admin centre under Mail flow > Rules. In Google Workspace, check the Admin console under Apps > Google Workspace > Gmail > Routing.
Check 3: Admin account inventory. List every account in your organisation that has admin-level access. Remove any that do not need it. Ensure all admin accounts have MFA enabled and that MFA recovery methods have not been changed recently. This takes ten minutes and closes one of the most common post-compromise escalation paths.
How to Turn This Into a Competitive Advantage
The M&S attack is now public knowledge. Every business in the UK has heard of it. If you can demonstrate to clients and partners that you have addressed the specific vulnerability that enabled it (helpdesk social engineering, weak verification processes, unmonitored admin accounts), you are providing tangible reassurance that competitors who cannot make the same claim are not offering.
Use the M&S case study in client conversations. “You heard about the M&S attack last year. Here is what we did to make sure the same technique would not work on us.” That is a concrete selling point.
How to Sell This to Your Board
The M&S attack cost £300 million. That number gets board attention. Present it alongside the attack vector: a phone call. Then present the cost of your proposed mitigations: implementing a callback verification procedure (free), auditing admin accounts (one hour), and checking mail forwarding rules (ten minutes).
The ratio speaks for itself. The most expensive UK retail cyber attack in history was enabled by a process failure that costs nothing to fix. If your board cannot find time to address it, they need to explain why to your insurers, auditors, and customers.
Sources
| Source | Article |
|---|---|
| The Record (Recorded Future) | M&S Confirms Customer Data Stolen in Cyberattack |
| Security Affairs | Financial Impact of M&S and Co-op Cyberattacks Could Reach £440M |
| Computer Weekly | M&S, Co-op Attacks a Category 2 Cyber Hurricane |
| BlackFog | M&S Breach: How Ransomware Crippled a UK Retail Giant |
| Computer Weekly | Chaos Spreads at Co-op and M&S Following DragonForce Attacks |
| DSIT / Home Office | Cyber Security Breaches Survey 2025/2026 |
| NCSC | 10 Steps: Logging and Monitoring |
Related Posts: