> series: anatomy_of_a_breach —— part: 196 —— target: marks_&_spencer —— cost: £1,900,000,000 —— impact: uk_gdp —— attacker: dragonforce<span class="cursor-blink">_</span>_
In April 2025, Marks & Spencer — one of the UK's most beloved and iconic retailers — was hit by a devastating ransomware attack that disrupted every aspect of its operations. Online ordering was suspended for weeks. In-store contactless payments failed. Click-and-collect services were halted. Gift cards could not be processed. Supply chain operations were severely disrupted, with empty shelves appearing in stores. The attack, attributed to the DragonForce ransomware group using social engineering techniques associated with Scattered Spider, became the defining UK cybersecurity incident of 2025.
The scale of the impact was unprecedented for a UK retail breach. The Bank of England confirmed the attack had impacted UK GDP growth. With over 33,000 direct employees and an estimated 200,000 more in M&S's supply chain, the economic ripple effects extended far beyond the company itself. The estimated total cost exceeded £1.9 billion ($2.5 billion) — making it, by a significant margin, the most expensive cybersecurity breach in British history. The attack was reportedly linked to outsourced IT service dependencies, reinforcing the supply chain vulnerability pattern documented throughout this series.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Impact Area | Consequence |
|---|---|
| Financial cost | Estimated £1.9 billion ($2.5 billion) — most expensive UK cyber breach ever |
| UK GDP | Bank of England confirmed impact on national GDP growth |
| Online sales | Online ordering suspended for weeks — significant revenue loss |
| In-store operations | Contactless payments, gift cards, click-and-collect all disrupted |
| Supply chain | Warehouse and logistics disruption — empty shelves in stores |
| Employment | 33,000 direct employees + 200,000 supply chain workers affected |
| Outsourced IT | Attack reportedly linked to dependencies on outsourced IT services |
The M&S attack was part of a broader campaign targeting UK retailers in early 2025 — with the Co-op Group and Harrods also targeted in the same period. The concentration of attacks against UK retail demonstrated that the sector was being specifically targeted by ransomware groups, likely using similar social engineering techniques to compromise IT help desks and outsourced service providers.
The Marks & Spencer breach is the single most consequential cybersecurity incident in UK history. For every UK business, the message is unmistakable: ransomware can cause damage measured in billions of pounds, can impact national economic output, and can disrupt the daily lives of millions of consumers. The controls that prevent this are the same controls this series has advocated for seventeen years: penetration testing, Cyber Essentials certification, social engineering testing, SOC in a Box monitoring, and incident response capability. £1.9 billion. The cost of not implementing these controls has never been higher.
<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="/penetration-testing/social-engineering">Test your people</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. Because £1.9 billion is the cost of not doing so.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call