British retail giant Marks & Spencer (M&S) and the iconic Knightsbridge department store, Harrods, have become the latest to be hit by cyberattacks in the UK.
Online orders at M&S, one of the United Kingdom’s most prominent high-street stores, remain paused and the attack has already cost the company millions of pounds in lost revenues.
Here is what we know about the incident, its effect and where things stand.
What happened in the cyberattack on Harrods and Marks and Spencer?
- April 21: Customers begin reporting issues making contactless payments and booking click-and-collect services (ordering online and picking up in store) at Marks & Spencer. Later that day, the company confirms it is dealing with a “cyber incident”.
- April 25: M&S suspends all online orders and pulls its more than 200 job listings offline. Signs begin appearing in stores warning of limited food availability. Gift cards and returns at M&S food stores cannot be processed.
- April 28: Some M&S stores report empty shelves and a shortage of popular items like Percy Pigs sweets. About 200 agency workers at the Castle Donington warehouse in the UK’s East Midlands are told to stay home. Stores continue to suffer from shortages.
- April 29 – May 2: M&S’s website remains unable to process online orders; job applications are still paused. The retailer has issued no further public updates. Physical stores remain open, but some product lines remain unavailable.
- April 30: The United Kingdom’s Metropolitan Police force confirms it is investigating the attack.
- May 1: Upmarket London department store Harrods confirms a cyberattack but assures customers that its operations continue as normal. The company has not revealed how severe the breach is or if customer data has been exposed.
Is M&S back online?
M&S’s online services have not fully resumed. Customers can browse online but they cannot complete purchases. Some difficulties also continue in stores, with gift cards not currently being accepted.
The company has not provided a timeline for recovery.
Why were these retailers attacked?
Although M&S has not confirmed the type of cyberattack it suffered, experts say the company’s shutdown of systems points to a likely ransomware incident.
Ransomware is a type of malicious software which blocks access to files or systems until a ransom has been paid – usually in cryptocurrency. This sort of software can shut down operations and hold critical data hostage.
Harrods has not shared details about its cyberattack, but experts believe the incidents may be connected.
Both the Metropolitan Police and the National Cyber Security Centre (NCSC) are investigating the cyber attacks. The NCSC has urged all retailers to tighten their cybersecurity and advised consumers to check bank activity and update passwords.
Who is behind the latest cyberattack?
The attack on M&S has been linked by cybersecurity observers to a group called Scattered Spider, which is also known as Octo Tempest.
This is a loose network of mostly young, English-speaking hackers who use tricks like phishing (messages through which criminals trick recipients into handing over sensitive information such as login details), SIM swapping (taking control of someone’s phone number) and Multi-Factor Authentication fatigue (sending repeated login requests until someone accidentally approves one) to break into company systems.
Scattered Spider is believed to have accessed M&S systems using ransomware called DragonForce.
One of the most common ways ransomware infiltrates a system is through phishing emails, according to cybersecurity firm Akamai. Common to all the methods is “the aim of exploiting either a human error or a technical vulnerability”, its website explains.
Once inside, the malware spreads and encrypts important files, locking them so the company can’t access or use them. The hackers then demand a ransom in exchange for a key to unlock the data.
Tim Mitchell, a senior security researcher at Secureworks, told the UK’s Guardian newspaper that Scattered Spider is an unusual hacking group because most cybercriminal networks tend to operate out of countries like Russia, where looser enforcement provides a more “permissive environment” for cybercrime.
The World Cybercrime Index ranks Russia as the country posing the highest cybercrime threat, followed by Ukraine, China, the United States, Nigeria and Romania.
How much has this attack cost the companies?
Since the attack, more than 700 million pounds ($930m) has been wiped off Marks & Spencer’s market value, with its share price falling 6.5 percent – including a 2.2 percent drop on the first day of disruptions alone.
Online shopping, which makes up about one-third of M&S’s clothing and home sales, generates roughly 3.8 million pounds ($5.05m) in daily revenue – a stream now halted due to the ongoing shutdown.
The company has also paused recruitment, removing nearly 200 job listings from its website.
Harrods, meanwhile, has not disclosed any financial losses. As a privately held company, it does not have a stock price and typically does not make its financial information public.
How have Harrods and M&S responded?
M&S initially responded promptly to the cyberattack, informing customers of the breach and pausing affected services early on. However, communication has since stalled, with only two official statements released – the last on April 25.
The retailer confirmed it took systems offline “as a precaution”, affecting both in-store stock and logistics.
Harrods, meanwhile, has not disclosed any financial losses. A spokesperson said Harrods is “working closely with leading cybersecurity experts and law enforcement to investigate the incident and ensure the integrity of our systems”.
Have other similar cyberattacks occurred recently?
Yes. M&S and Harrods are the latest in the UK to be affected by cyberattacks.
Co-operative Group (Co-op), a British consumer cooperative that operates food stores, funeral services and other businesses, also faced an attempted breach the same week. It shut down parts of its IT system, affecting back-office and call centre functions. Stores remained open.
Synnovis, a partner of the UK’s National Health Service, was hit by a ransomware attack in June 2024, delaying more than 11,000 medical appointments while patient data it relied on was locked. The Russian-linked cybercriminal group, Qilin, demanded $50m to restore access, but Synnovis refused to pay, adhering to the UK government’s policy against paying cybercriminals. In response, the group posted the stolen data online including names, dates of birth, NHS numbers and details of blood test results.
According to the UK government’s Cyber Security Breaches Survey, 74 percent of large businesses were targeted in cyberattacks in 2024. The Information Commissioner’s Office also recorded a 40 percent rise in data breaches in the retail sector in 2023 alone.
