Full Report
An M&S trading update estimates the ongoing cyber-incident will cost £300m, largely from lost sales due to the suspension of online orders
Analysis Summary
# Incident Report: M&S Major Cyber Incident and Operational Disruption
## Executive Summary
Marks & Spencer (M&S) is bracing for an estimated £300 million in costs associated with a significant ongoing cyber incident that began in April 2025. The primary impact has been the suspension of online orders (fashion, home, and beauty), leading to substantial lost sales, along with operational disruption in food availability and increased logistics/waste costs. In response, M&S is accelerating infrastructure upgrades to improve operational resilience while expecting to resume online orders by July.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the incident began in April 2025.
- **Incident Date:** Commenced in April 2025.
- **Affected Organization:** Marks & Spencer (M&S).
- **Sector:** Retail.
- **Geography:** Not explicitly stated, presumed UK-based given the currency.
## Timeline of Events
### Initial Access
- **Date/Time:** April 2025.
- **Vector:** Suspected ransomware attack (specific entry vector not detailed in the summary).
- **Details:** The incident forced the immediate suspension of online orders.
### Lateral Movement
- Details of lateral movement are not specified in the provided text.
### Data Exfiltration/Impact
- **Impact:** Complete suspension of online orders (fashion, home, beauty), reduced availability of food items, increased waste, and logistics costs due to manual processes. Expected resumption of online orders by July.
### Detection & Response
- **Detection:** Detection led to the necessary suspension of online operations.
- **Response Actions:** Suspension of online sales, implementation of manual processes, and acceleration of plans to upgrade infrastructure and network connectivity to enhance operational resilience.
## Attack Methodology
- **Initial Access:** Suspected ransomware attack.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Unknown.
- **Exfiltration:** Not specified if data exfiltration occurred, but financial loss is primary.
- **Impact:** Operational shutdown of primary sales channels (online), supply chain disruption, and high remediation/opportunity costs.
## Impact Assessment
- **Financial:** Estimated cost of approximately £300 million ($400 million), primarily from lost sales, plus additional waste and logistics costs. Costs will be separated as an adjusting item in the 25/26 financial results.
- **Data Breach:** Data impact is not detailed; the focus is on operational and financial disruption.
- **Operational:** Significant disruption to online sales and reduced availability of food products.
- **Reputational:** Impacted by the inability to service customers online during the disruption.
## Indicators of Compromise
- No specific TTPs, IPs, hashes, or domains were provided in the text snippet.
## Response Actions
- **Containment measures:** Suspension of online ordering systems.
- **Eradication steps:** Not detailed beyond the immediate operational shutdown.
- **Recovery actions:** Planning for online orders to resume by July; accelerating internal improvement projects (infrastructure, network connectivity, technology, and supply chain systems).
## Lessons Learned
- The incident highlighted critical weaknesses in system inter-dependency and overall operational resilience.
- The current disruption presents an "opportunity" to force accelerated necessary technology upgrades.
## Recommendations
- Prioritize and accelerate the decoupling of critical systems to reduce inter-dependency.
- Invest immediately in upgrading network infrastructure, store/colleague technology, and supply chain systems to enhance operational resilience against future attacks.
- Review and enhance ransomware defense and recovery capabilities to minimize the necessity of operational shutdowns.