Full Report
In a statement filed to London’s stock exchange on Tuesday afternoon, the company said it made “some minor, temporary changes to our store operations” as soon as it became aware of the incident.
Analysis Summary
# Incident Report: M&S Cyber Incident Impacting Store Operations
## Executive Summary
British retailer Marks and Spencer (M&S) confirmed managing a "cyber incident" starting shortly before April 22, 2025, which led to temporary disruptions in in-store operations, specifically affecting electronic payment systems and the Click and Collect service. M&S initiated an investigation involving external cybersecurity experts, notified regulators and the NCSC, and implemented measures to safeguard their network while aiming to maintain primary business functions.
## Incident Details
- **Discovery Date:** April 22, 2025 (based on initial public complaints and company confirmation)
- **Incident Date:** "Over the past few days" leading up to April 22, 2025
- **Affected Organization:** Marks and Spencer (M&S)
- **Sector:** Retail
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, occurred slightly before public acknowledgement on April 22, 2025.
- **Vector:** Unspecified ("cyber incident"). Specific initial access vector is not detailed in the report.
- **Details:** The incident subsequently led to the disruption of internal systems.
### Lateral Movement
- **Details:** No explicit details regarding lateral movement were provided, but the scope of the impact (payment systems and Click and Collect) suggests compromise extended beyond a single entry point.
### Data Exfiltration/Impact
- **Details:** The primary visible impact was operational disruption:
- Temporary, minor changes to store operations.
- Failure of electronic payment systems (card payments, gift cards).
- Delays or inability to fulfill Click and Collect orders.
- **Data Breach:** No confirmation of data exfiltration or PII compromise was mentioned in the provided summary.
### Detection & Response
- **Detection:** The incident became apparent through customer social media complaints starting "a few days" prior to the April 22 confirmation.
- **Response Actions:**
- M&S filed a statement with the London Stock Exchange.
- Engaged external cybersecurity experts for investigation and management.
- Reported the incident to relevant regulators and the National Cyber Security Centre (NCSC).
- Took actions to protect the network and maintain customer service.
## Attack Methodology
- **Initial Access:** Unknown / Unspecified.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown, though the severity suggests some level of obfuscation or rapid deployment.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Unknown (operations suggest access to transactional or order fulfillment systems).
- **Exfiltration:** Unknown, though operational impact suggests internal access.
- **Impact:** Denial or impairment of critical business functions (POS/payment systems, logistics integration).
## Impact Assessment
- **Financial:** Not quantified, though operational delays likely incurred costs.
- **Data Breach:** None confirmed/disclosed.
- **Operational:** Significant—card payments, gift card processing, and Click and Collect services were temporarily degraded or unavailable, causing customer inconvenience. Stores remained open but faced transaction difficulties.
- **Reputational:** Negative impact evidenced by customer complaints shared on social media regarding system failures and wasted journeys.
## Indicators of Compromise
- **Network indicators:** None provided (defanging not applicable).
- **File indicators:** None provided.
- **Behavioral indicators:** Disruption/failure of electronic payment processing across stores and failure of Click and Collect fulfillment queues.
## Response Actions
- **Containment:** Taking actions to "further protect our network."
- **Eradication:** Ongoing investigation led by external cyber security experts.
- **Recovery:** Working hard to resolve delays to Click and Collect orders and restore full payment functionality.
## Lessons Learned
- The incident highlights a potential vulnerability in the integration or resilience between core retail/payment systems and back-end order fulfillment (Click and Collect).
- Reliance on timely public reporting (via social media) often precedes formal organizational disclosure when customer-facing services are impacted.
## Recommendations
- Conduct a thorough forensic investigation, led by external experts, to determine the root cause, scope, and specific techniques used by the threat actor.
- Review segmentation and resilience of point-of-sale (POS) and order fulfillment systems to ensure operations can continue if central services are impaired (e.g., maintaining offline payment capability).
- Enhance threat hunting across the environment, focusing on techniques that precede service degradation.