Marks & Spencer cyberattack forced the U.K. retailer to freeze online orders, rebuild core systems, and warn investors of a £300 million profit hit. The ransomware gang Scattered Spider slipped in over the Easter weekend, proving that third-party credentials can still short-circuit multi-factor authentication. Tata Consultancy Services (TCS), M&S’s tech partner for more than a decade, says no TCS systems or staff accounts were breached.

Quick Snapshot

• When it started: April 19–20, 2025 (Easter weekend)
• Threat actor: Scattered Spider/DragonForce ransomware crew
• Attack vector: Social-engineering calls tricked contractors into resetting MFA-protected passwords
• Data exposed: Names, contact details, birth dates; no payment info or passwords
• Immediate fallout: Online clothing and home orders suspended April 25
• Projected cost: ≈ £300 million in lost operating profit for FY 2026
• TCS position: “No TCS systems or users were compromised”

How the Breach Unfolded

Hackers phoned help desks, posed as support staff, and persuaded third-party contractors to approve password resets. Those credentials unlocked key M&S systems—even with MFA in place. Once inside, the attackers deployed ransomware, encrypted servers, and threatened to leak customer records.

Was TCS an Entry Point?

TCS runs large parts of M&S’s supply-chain and e-commerce stack under a $1 billion modernization deal signed in 2023. Early reports speculated the gang abused TCS infrastructure. After a month-long internal review, TCS told shareholders that:

1. Its own network shows no sign of intrusion.
2. Investigators never requested access to TCS systems.
3. Other TCS clients are safe.
   The clarification steadies’ nerves across industries that rely on the Mumbai-based IT giant.

Recovery Timeline

Financial and Operational Impact

• Revenue loss: Analysts peg weekly lost sales at roughly £15 million.
• Market value: M&S shed more than £1 billion in capitalization during the outage.
• Supply chain: Some clothing lines missed shelves as forecasting tools went dark.
• Customer trust: Shoppers complained about delays and stock shortages, yet praise M&S for refusing to pay ransom.

Five Security Lessons to Act On

1. Vendor risk is everyone’s risk. Vet contractor security and require zero-trust access, not shared logins.
2. Harden help-desk workflows. Enforce strict identity checks before any password reset.
3. Layer MFA with phishing-resistant methods. Hardware keys or passkeys beat text codes and push prompts.
4. Plan for ransomware recovery. Keep clean, offline backups and rehearse the failover.
5. Communicate fast, honestly, and often. Clear updates limit rumor-driven panic and rebuild confidence

Looking Ahead

Marks & Spencer aims to finish system rebuilds and third-party audits by July 2025. TCS continues to support the cleanup while running fresh threat-hunting drills across its global network. For every retailer—or any firm that relies on external tech partners—the message is clear: social engineering still works, and vendor oversight can make or break cyber resilience. Stay sharp, close the gaps, and test your response before attackers do it for you.