MS
Company Details
Linkedin ID:
marks-and-spencer
Employees number:
41,277
Number of followers:
736,458
NAICS:
43
Industry Type:
Homepage:
marksandspencer.com
IP Addresses:
Scan still pending
Company ID:
MAR_2661945
Scan Status:
In-progress
Marks and Spencer Vendor Cyber Rating & Cyber Score
marksandspencer.comAt M&S, we're dedicated to being the most trusted retailer, prioritising quality and delivering value. Every day, we bring the magic of M&S to our customers, whenever, wherever and however they want to shop with us. For over a century, we've set the standard, doing the right thing and embracing innovation. Today, with over 65,000 colleagues serving 32 million customers globally, we're putting quality products at the heart of everything we do. Tomorrow holds boundless opportunities with us. We're pioneering digital innovation and shaping the future of retail where our values drive every action. We stay close to customers and colleagues, always curious and connected. Our decisions are bold, our actions ambitious. Transparency is paramount, with straightforward, honest communication. We're constantly innovating, always striving for the best. Our focus is on aiming higher and winning together, combined with wise financial decisions to secure our future. Join us at M&S to shape the future of retail.
Marks and Spencer A.I CyberSecurity Scoring
MS Risk Score (AI oriented)Between 0 and 549
MS
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
MS Global Score (TPRM)XXXX
MS
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Marks and Spencer
Current Score
100
01000
24 incidents
0 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
APRIL 2026
100
MARCH 2026
100
FEBRUARY 2026
100
Breach
100
critical Already minimum
MARCOIDISTAS1770173590Incident Details -
Type
Insider Threat
Attack Vector
Insider Access
Motivation
Data Theft, Financial Gain
Impact
Data Compromised: Personal data (names, email addresses, phone numbers, KYC information, wallet balances, transaction histories) Systems Affected: Internal support interface Brand Reputation Impact: Yes Identity Theft Risk: Yes
Response
Incident Response Plan Activated: Yes Containment Measures: Contractor terminated, affected users notified Remediation Measures: Identity theft protection services provided to affected users Communication Strategy: Public disclosure, regulatory notifications
Data Breach
Personal Identifiable Information (PII) KYC Information Transaction Histories Wallet Balances Number Of Records Exposed: 30 Sensitivity Of Data: High Data Exfiltration: Yes (via Telegram screenshots) Personally Identifiable Information: Yes
Regulatory Compliance
Regulatory Notifications: Yes
Lessons Learned
Insider threats pose significant risks, especially in third-party contractor relationships. Enhanced monitoring and access controls are critical for mitigating such breaches.
Recommendations
Implement stricter access controls for contractors and third-party vendors Enhance monitoring of internal systems for unauthorized access Provide regular security awareness training for employees and contractors Establish clear protocols for reporting and responding to insider threats
Investigation Status
Completed
Customer Advisories
Affected users notified and provided with identity theft protection services
Initial Access Broker
Entry Point: Contractor access
Post Incident Analysis
Root Causes: Improper access by a contractor, lack of sufficient monitoring for insider threats Corrective Actions: Contractor terminated, affected users notified, identity theft protection services provided, regulatory notifications completed
References
JANUARY 2026
100
Breach
100
critical Already minimum
MAR1768480120Incident Details -
Type
Data Breach
Attack Vector
Social Engineering IT Help Desk Bypass
Vulnerability Exploited
Identity and Access Management (IAM) Failures
Impact
Financial Loss: > $10M (for 24% of organizations)
Data Breach
Type Of Data Compromised: Identity-Related Data Sensitivity Of Data: High (Personally Identifiable Information, Access Credentials) Personally Identifiable Information: Yes
Lessons Learned
Identity-related breaches are increasing in frequency and cost, with IT help desk bypass and social engineering emerging as significant threats. Organizations must prioritize securing their identity estate and consider adopting passwordless authentication and AI-driven cybersecurity measures.
Recommendations
Assess and strengthen identity and access management (IAM) capabilities. Prioritize passwordless authentication adoption. Implement AI-driven cybersecurity solutions to enhance threat detection and response. Enhance IT help desk security protocols to prevent social engineering attacks. Monitor and address identity-related risks proactively.
Investigation Status
['Report Findings (No Specific Incident Investigation)']
Stakeholder Advisories
Leaders should act quickly to secure their identity estate and prioritize actions to mitigate identity-related risks.
Post Incident Analysis
Identity and Access Management (IAM) Failures Social Engineering Attacks IT Help Desk Bypass Strengthen IAM capabilities Adopt passwordless authentication Implement AI-driven cybersecurity solutions Enhance IT help desk security protocols
References
DECEMBER 2025
100
Cyber Attack
100
critical Already minimum
ADIHEAHARMARTHEJAG1767017696Incident Details -
Type
phishing data breach digital shutdown ransomware
Impact
Financial Loss: hundreds of millions of pounds Operational Impact: digital shutdown
References
NOVEMBER 2025
100
OCTOBER 2025
100
Cyber Attack
100
critical Already minimum
MARCO-JAG1771151062Incident Details -
Type
ransomware state-sponsored hacktivism
Motivation
geopolitical financial gain disruption
Impact
government operations essential services retail manufacturing aviation halted manufacturing airport outages
Data Breach
children’s data personally identifiable information Sensitivity Of Data: high
Lessons Learned
Cyber-resilience must be treated as a board-level priority, with proactive risk management and governance embedded at the highest levels. The emotional and operational toll of cyber-attacks on victims is significant.
Recommendations
Businesses of all sizes should prioritize cyber risk management, embed it into governance, and lead from the top. Enhanced vigilance and preparedness are critical given the rising threat landscape.
Stakeholder Advisories
Government officials urge businesses to treat cyber-resilience as a priority, warning of intensified hostile activity. GCHQ Director emphasizes proactive risk management.
Post Incident Analysis
state-backed threats ransomware hacktivism expanding digital attack surface prioritize cyber risk management embed governance enhance vigilance
References
SEPTEMBER 2025
100
Ransomware
100
critical Already minimum
MAR1193411110425Incident Details -
Type
ransomware cartel-style cybercrime operation affiliate-based attack
Attack Vector
SMB (Server Message Block) exploitation lateral movement via network shares recruitment of affiliates for branded variants partnerships with initial access brokers (e.g., Scattered Spider)
Motivation
financial gain dominance in ransomware ecosystem recruitment of affiliates disruption of rival groups
Impact
local storage network shares via SMB encryption of files potential data leaks (threatened for September 2 and 22) disruption of rival ransomware operations (e.g., BlackLock, Ransomhub) potential reputational damage to affected entities (e.g., Marks & Spencer) undermining trust in rival ransomware groups
Response
recommended as a defense measure recommended for unusual access to shared resources
Data Breach
threatened (e.g., leaks scheduled for September 2 and 22) ChaCha20 + RSA per-file encryption 10-byte metadata block (encodes mode, percentage, size) supports full (0x24), partial (0x25), and header-only (0x26) modes
Lessons Learned
Ransomware groups are evolving into cartel-like structures to consolidate power and resources. Affiliate recruitment and branded variants increase the scale and complexity of attacks. Partnerships with initial access brokers (e.g., Scattered Spider) amplify threat capabilities. Aggressive tactics (e.g., defacing rival leak sites) disrupt the cybercriminal ecosystem. Legacy ransomware code (e.g., Conti) continues to fuel new operations.
Recommendations
Implement robust backup practices to mitigate encryption impacts. Restrict lateral movement via network segmentation. Monitor for unusual access to shared resources (e.g., SMB). Apply consistent patching and endpoint protection. Conduct user awareness training to prevent initial access exploits. Defend against affiliate-based attacks by tracking emerging ransomware strains.
Investigation Status
['ongoing (as of latest reports)']
Initial Access Broker
enterprise environments retailers (e.g., Marks & Spencer) rival ransomware groups (e.g., BlackLock, Ransomhub)
Post Incident Analysis
Exploitation of Conti’s leaked source code for new ransomware development. Leveraging affiliate networks to scale attacks (e.g., Devman, Scattered Spider). Use of SMB for lateral movement and network-wide encryption. Cartel-like coordination to dominate the ransomware ecosystem.
References
AUGUST 2025
100
Cyber Attack
100
critical Already minimum
MAR628082925Incident Details -
Type
Cyber Attack Ransomware Phishing Supply Chain Attack
Attack Vector
AI-driven attacks Cybercrime-as-a-Service (CaaS) Ransomware Phishing Supply Chain Compromise
Motivation
Financial gain Disruption Data theft
Impact
Financial Loss: £64 billion (collective UK businesses); £300 million (M&S alone) Operational Impact: Significant disruption to business operations, particularly for SMEs Revenue Loss: £300 million (M&S); £27 billion annual revenue loss potential for UK businesses without cybersecurity investment Brand Reputation Impact: Severe for smaller/lesser-known companies; manageable for well-established brands
Regulatory Compliance
Regulatory Notifications: Cyber Security and Resilience Bill (upcoming, 2025)
Lessons Learned
Proactive cybersecurity measures are significantly more cost-effective than reactive responses (up to 10x cost savings). AI and Cybercrime-as-a-Service (CaaS) are democratizing cyber attacks, increasing threat sophistication. Cyber insurance is becoming a necessity, with premiums reducible by up to 75% through measures like XDR, MFA, and vulnerability scanning. Outsourcing cybersecurity improves IT efficiency, performance, and reduces downtime for 68% of businesses. Strong cybersecurity credentials can drive revenue growth and customer trust, especially as consumers become more cyber-aware.
Recommendations
Shift from reactive to proactive cybersecurity strategies to mitigate financial and operational risks. Invest in advanced security measures such as XDR platforms, multi-factor authentication (MFA), and vulnerability scanning. Prioritize cyber insurance to comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025) and reduce premiums through risk mitigation. Outsource cybersecurity to leverage external expertise, especially for SMEs lacking in-house capabilities. View cybersecurity as a revenue driver, not just a cost center, to gain competitive advantage and customer trust. Educate stakeholders on the financial and operational benefits of early cybersecurity investment.
Investigation Status
Ongoing (general trend analysis; specific incidents may vary)
Customer Advisories
Customers advised to monitor communications from affected retailers for potential data breach notifications or protective measures.
Stakeholder Advisories
Businesses urged to adopt proactive cybersecurity measures to mitigate risks from evolving threats (AI, nation-states, CaaS).
Initial Access Broker
Retail systems Luxury brand databases Supply chain partners
Post Incident Analysis
Underinvestment in proactive cybersecurity measures Over-reliance on in-house teams without external expertise Failure to adapt to evolving threats (AI, CaaS, nation-state actors) Lack of comprehensive cyber insurance and resilience planning Increase cybersecurity budgets (77% of UK businesses planning to do so). Implement XDR, MFA, and vulnerability scanning to reduce insurance premiums. Adopt outsourced cybersecurity solutions for specialized expertise. Comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025). Position cybersecurity as a strategic revenue driver, not just a protective measure.
References
JULY 2025
100
Ransomware
100
critical Already minimum
BELMAR1770616665Incident Details -
Type
Ransomware
Motivation
Financial gain
Impact
Data Compromised: 156GB of company data, including backups and employee profiles Systems Affected: Corporate systems, mobile app infrastructure, e-commerce services (implied from M&S impact) Operational Impact: Disruption of online operations, potential supply chain disruptions Brand Reputation Impact: Significant (stock market value drop for M&S, public disclosure) Identity Theft Risk: High (exposed PII)
Response
Third Party Assistance: Cybernews (researchers) Communication Strategy: Filing with New Hampshire Attorney General’s Office
Data Breach
Names Dates of birth Addresses Phone numbers Email addresses Order histories Store coupons Employee records Mobile app infrastructure data Number Of Records Exposed: Up to 1 million users (estimated) Sensitivity Of Data: High (Personally Identifiable Information, employee data) Data Exfiltration: Yes (156GB of data) Data Encryption: Yes (ransomware strain) Personally Identifiable Information: Yes
Regulatory Compliance
Regulatory Notifications: Filing with New Hampshire Attorney General’s Office
Initial Access Broker
Data Sold On Dark Web: Potential (group operates dark web blog)
References
JULY 2025
100
Ransomware
100
critical Already minimum
MAR5392253090725Incident Details -
Type
Ransomware (M&S) Cyber Attack (Harrods, Co-op) Data Breach (Adidas) IT Outage (H&M, suspected cyber attack)
Attack Vector
Third-party customer-service provider (Adidas) Unauthorised access attempt (Harrods) Ransomware (M&S, linked to DragonForce RaaS) Potential exploitation of smart building systems/IoT (speculative for H&M/Co-op) Unguarded network sockets or physical access (theoretical, per RICS)
Vulnerability Exploited
Third-party vendor security (Adidas) Smart building systems (IoT, access control, CCTV, HVAC) (theoretical)
Motivation
Financial gain (ransomware, data theft) Disruption (operational impact) Data exfiltration (customer PII)
Impact
£300m market value loss (M&S) Up to £73m revenue loss per minute for payment outages (industry estimate) Customer names/contact details (Adidas, Co-op) Customer information (M&S, no payment details/passwords) None confirmed (Harrods, H&M) Ecommerce, contactless payments (M&S) Internal IT systems, internet access (Harrods) Payments systems (H&M, in-store) IT systems (Co-op, leading to empty shelves) Third-party customer service (Adidas) >2 months (partial recovery for M&S) Minimal (Harrods) 2 hours (H&M, some locations) Short-term (Co-op) Suspended online orders, no contactless payments (M&S) Empty shelves (Co-op) In-store payment failures (H&M) Internet access paused in stores (Harrods) None (Adidas) Significant (M&S, Co-op, H&M during outage) Likely (M&S, Co-op, H&M) High (M&S, Co-op, H&M) Moderate (Harrods, Adidas) Low (Adidas, Co-op: names/contact details only) None (all incidents)
Response
Yes (M&S, Harrods, Co-op) Likely (M&S, Co-op for forensic investigation) Restricted internal IT systems, paused internet access (Harrods) Shut down parts of IT systems (Co-op) Suspended online orders (M&S) Partial restoration of online services (M&S) Ongoing (M&S) Quick recovery (H&M, Harrods) Public disclosures (all) Customer apologies (H&M, M&S)
Data Breach
Customer names/contact details (Adidas, Co-op) Customer information (M&S, no specifics) Low (Adidas, Co-op: PII but no financial data) Yes (Adidas, Co-op, M&S) No evidence (Harrods) Yes (names, contact details for Adidas/Co-op) Unspecified (M&S)
Regulatory Compliance
Potential GDPR (Adidas, Co-op, M&S for PII exposure) Likely (ICO for Adidas, Co-op, M&S)
Lessons Learned
Retailers must secure third-party vendors, smart building systems, and IoT devices to reduce attack surfaces. Rapid containment (e.g., Co-op’s IT shutdown) can mitigate ransomware deployment. Public-facing disruptions (e.g., payment outages) erode customer trust and revenue, highlighting the need for resilient backup systems and transparent communication.
Recommendations
Implement zero-trust architecture for third-party access. Audit and segment IoT/building management systems from critical networks. Develop playbooks for ransomware attacks, including offline payment contingencies. Enhance employee training on physical security (e.g., unguarded network sockets). Conduct regular red-team exercises simulating supply-chain and RaaS attacks.
Investigation Status
Ongoing (M&S) Completed (Adidas, Co-op, Harrods) Unconfirmed (H&M)
Customer Advisories
Apologies and service updates (H&M, M&S, Co-op) Data breach notifications (Adidas, Co-op)
Stakeholder Advisories
Market updates (M&S £300m loss)
Initial Access Broker
Third-party vendor (Adidas) Potential physical access (unguarded sockets/IoT for others) Customer databases (M&S, Adidas, Co-op) Payment systems (H&M, M&S)
Post Incident Analysis
Third-party vendor vulnerabilities (Adidas) Insecure IoT/building systems (theoretical for Co-op/H&M) RaaS proliferation (DragonForce for M&S) Lack of payment system redundancy (H&M, M&S) Vendor security audits (Adidas) IT system segmentation (Co-op, Harrods) Offline payment fallback (H&M, M&S)
References
JUNE 2025
100
Ransomware
100
critical Already minimum
MAR1993619102425Incident Details -
Type
Data Breach Ransomware (M&S) Third-Party Exploitation Payment System Disruption
Attack Vector
Stolen Credentials (Third-Party Vendors) Unmonitored Endpoints API Exploitation Poorly Secured User Accounts Phishing/Social Engineering (Potential) Known Vulnerabilities (Unpatched Systems)
Vulnerability Exploited
Identity and Access Control Weaknesses Lack of Centralized Log Management Unsegmented Networks Unmonitored API Traffic Delayed Patch Management
Motivation
Financial Gain (Ransomware) Data Theft (Customer Records) Disruption of Operations
Response
Network Segmentation (Recommended) Isolation of Affected Systems (Recommended) Centralized Log Management Real-Time Threat Detection Patch/Vulnerability Management Identity and Access Control Reforms (MFA, Least Privilege) Immutable Backups (Recommended) System Restoration Protocols Transparency in Public Disclosures (Recommended) Stakeholder/Regulator Notifications
Data Breach
Customer Records (Co-op: 6.5M) Potential Payment Information (M&S) Personally Identifiable Information (PII) Number Of Records Exposed: 6.5 million (Co-op) Sensitivity Of Data: High (PII, Payment Data)
Lessons Learned
Proactive visibility across identity, access, and infrastructure is critical to detect threats early. Centralized log management and real-time threat detection are essential to limit breach impact. Zero Trust and network segmentation reduce lateral movement and blast radius. API and application monitoring must be prioritized to detect anomalous activity. Automated vulnerability management and patching reduce exposure to known exploits. Security culture and human resilience (e.g., phishing training) are vital to mitigate insider threats. Incident response plans must include immutable backups, clear communication protocols, and post-incident reviews. Transparency in breach disclosures helps retain customer trust and brand reputation.
Recommendations
Adopt a visibility-first security posture with centralized log management and SIEM capabilities. Enforce least-privilege access, MFA, and continuous monitoring for identity and access controls. Implement network segmentation and Zero Trust principles to limit breach impact. Monitor API traffic and application behavior in real time for early threat detection. Automate vulnerability scanning and prioritize patching based on risk/exploitability. Invest in regular, scenario-based security training for employees to reduce human error. Develop and test incident response plans with tabletop exercises and immutable backups. Ensure transparent, timely communication with stakeholders, regulators, and customers during breaches. Conduct thorough post-incident root cause analyses to harden systems and share lessons industry-wide. Treat cybersecurity as a board-level priority tied to business continuity, not just an IT issue.
Investigation Status
['Ongoing (Louis Vuitton in early disclosure; M&S and Co-op likely concluded)']
Initial Access Broker
Third-Party Vendors (Compromised Credentials) Unmonitored Endpoints API Exploitation Reconnaissance Period: Days to weeks (undetected dwell time) Customer Databases Payment Systems Brand Reputation
Post Incident Analysis
Lack of centralized visibility into digital environments (logs, telemetry, user activity). Weak identity/access controls (stolen credentials, unmonitored endpoints). Siloed logging and delayed threat detection. Insufficient network segmentation enabling lateral movement. Unpatched vulnerabilities and poor API security. Inadequate security culture/training (phishing, social engineering risks). Deploy unified log management and real-time threat detection platforms. Enforce Zero Trust architecture with strict access controls and MFA. Segment networks to limit breach impact and lateral movement. Enhance API/application monitoring for behavioral anomalies. Automate vulnerability scanning and prioritize high-risk patching. Integrate security awareness into organizational culture via regular training. Test incident response plans with simulations and ensure immutable backups. Improve post-incident communication transparency to retain customer trust.
References
JUNE 2025
100
Breach
100
critical Already minimum
VICMARCAR1772649374Incident Details -
Type
Data Breach Credential Stuffing Cyberattack
Attack Vector
Credential Stuffing Unauthorized Access
Impact
Financial Loss: $20 million in Q2 net sales (projected for Victoria’s Secret) Data Compromised: Customer data including names, emails, purchase history, shipping addresses, birth dates, and phone numbers Websites In-store services Downtime: May 26 to May 29, 2025 (Victoria’s Secret) Operational Impact: Delayed fiscal Q1 earnings report, paused in-store services Brand Reputation Impact: Long-term trust erosion
Response
Shut down website Paused in-store services
Data Breach
Names Emails Purchase history Shipping addresses Birth dates Phone numbers Sensitivity Of Data: High (Personally Identifiable Information) Personally Identifiable Information: Yes
Lessons Learned
Retailers are prime targets due to vast amounts of sensitive customer data; supply chain vulnerabilities pose significant risks.
References
JUNE 2025
100
Ransomware
100
critical Already minimum
HARMARTHEBRI1769526687Incident Details -
Type
Ransomware
Motivation
Financial gain, exploitation of perceived security gaps
Impact
Systems Affected: Multiple servers within IT infrastructure Operational Impact: IT staff worked remotely during containment
Response
Containment Measures: IT staff worked remotely to contain the breach
Investigation Status
['Ongoing']
References
MAY 2025
100
Cyber Attack
100
critical Already minimum
THEHARMARPET1770508437Incident Details -
Type
Ransomware
Attack Vector
Phishing SIM-swapping Help desk impersonation Exploitation of legitimate remote access tools
Impact
Operational Impact: Disruptions to food deliveries, delays, potential shortages, and concerns over consumer panic buying
Lessons Learned
The attack underscores the high stakes of cybersecurity in retail, where even brief outages can ripple through digital and physical operations. Retailers must adopt a layered defense strategy, including enforced multi-factor authentication (MFA), restricted remote access, and employee training to recognize social engineering attempts.
Recommendations
Enforced multi-factor authentication (MFA) Restricted remote access Employee training to recognize social engineering attempts Layered defense strategy Enhanced monitoring and real-time detection capabilities
Post Incident Analysis
Root Causes: Reliance on digital supply chains, inadequate cybersecurity measures, and evolving regulatory complexities. Nearly half of surveyed retailers admit past breaches have left their systems inadequately secured.
References
MAY 2025
100
Cyber Attack
100
critical Already minimum
MARCALWAISAITOYTHEMORPET-TE1772023906Incident Details -
Type
ransomware
Motivation
financial gain
Impact
Systems Affected: order processing systems Downtime: order handling suspended on Thursday Operational Impact: disrupted order processing for major UK supermarkets Brand Reputation Impact: potential reputational risk due to unreported incidents in the sector
Response
Incident Response Plan Activated: workarounds implemented to maintain deliveries Containment Measures: order processing suspended Communication Strategy: regular updates provided to clients
Lessons Learned
Supply chain vulnerabilities amplify the impact of cyber breaches; follow-on attacks (e.g., vendor email compromise) are a risk; perishable goods sectors are lucrative targets due to tight timelines.
Recommendations
Enhance cybersecurity measures for supply chain partners; implement network segmentation; adopt adaptive behavioral WAF; use on-demand scrubbing services; monitor for follow-on attacks like vendor email compromise.
Investigation Status
['ongoing']
Stakeholder Advisories
Regular updates provided to clients (supermarkets)
References
MAY 2025
100
Ransomware
100
critical Already minimum
CHRMAR1769504421Incident Details -
Type
Ransomware
Impact
Data Compromised: Names, gender details, phone numbers, email and postal addresses, purchase history, fashion preferences categorized by gender and age Systems Affected: Internal servers Brand Reputation Impact: Raises concerns about long-term privacy risks Identity Theft Risk: Poses risks for targeted phishing attacks and identity theft Payment Information Risk: No financial information such as payment details was leaked
Response
Incident Response Plan Activated: Yes Containment Measures: Security measures implemented to contain the breach and prevent further spread of the malware Communication Strategy: Customers advised to monitor their accounts for suspicious activity; updates to be provided as new details emerge
Data Breach
Type Of Data Compromised: Customer data Sensitivity Of Data: High (personal details, purchase history, fashion preferences) Data Encryption: File-encrypting malware involved Personally Identifiable Information: Names, gender details, phone numbers, email and postal addresses
Investigation Status
Ongoing
Customer Advisories
Monitor accounts for suspicious activity; stolen data may be exploited in phishing schemes over the next 6 to 12 months
References
MAY 2025
100
Ransomware
100
critical Already minimum
MAR824090225Incident Details -
Type
Ransomware Cyberattack
Attack Vector
Phishing SIM Swapping Multi-Factor Authentication (MFA) Fatigue
Motivation
Financial Gain (Ransomware)
Impact
Financial Loss: £700 million (M&S market value wiped; ~£3.8M daily revenue loss from halted online sales) Online order processing Contactless payments Click-and-collect services Warehouse logistics (Castle Donington) Gift card/return processing Job application portal Online Orders: Ongoing since 2024-04-25 (as of 2024-05-02) Contactless Payments: Disrupted since 2024-04-21 Warehouse Operations: Partial shutdown (200 agency workers sent home) Empty shelves in stores (e.g., Percy Pigs sweets shortage) Limited food availability Paused recruitment (200+ job listings removed) Supply chain disruptions Revenue Loss: £3.8M/day (online sales halted; ~1/3 of clothing/home revenue) Customer Complaints: Reported issues with payments, gift cards, and returns Brand Reputation Impact: Significant (6.5% share price drop; publicized operational failures) Payment Information Risk: Potential (contactless payment systems disrupted)
Response
Incident Response Plan Activated: Yes (Systems taken offline as precaution) Third Party Assistance: Yes (Cybersecurity experts engaged by Harrods) Law Enforcement Notified: Yes (Metropolitan Police and NCSC investigating) Online orders suspended Job listings removed Affected systems isolated Initial public disclosure (2024-04-21) Limited updates (last statement on 2024-04-25) Harrods assured customers of normal operations
Data Breach
Data Encryption: Yes (DragonForce ransomware encrypted files)
Regulatory Compliance
Regulatory Notifications: NCSC advised retailers to tighten cybersecurity; consumers urged to check bank activity
Recommendations
Retailers urged to enhance cybersecurity (NCSC advisory) Consumers advised to monitor bank activity and update passwords Multi-Factor Authentication (MFA) hardening recommended
Investigation Status
Ongoing (Metropolitan Police and NCSC investigating as of 2024-04-30)
Customer Advisories
M&S warned of service disruptions; Harrods assured normal operations
Stakeholder Advisories
NCSC urged retailers to tighten cybersecurity; no specific advisories from M&S/Harrods
Initial Access Broker
Phishing SIM Swapping MFA Fatigue Payment systems Warehouse logistics Job application portal
Post Incident Analysis
Phishing vulnerabilities MFA fatigue exploits Lack of segmentation (warehouse/retail systems impacted)
References
APRIL 2025
100
Cyber Attack
100
critical Already minimum
MAR3792037102625Incident Details -
Type
Cyberattack Third-Party Breach Social Engineering Supply Chain Attack
Attack Vector
Sophisticated Impersonation Third-Party Vendor Compromise (TCS Help-Desk Access) Credential Theft
Vulnerability Exploited
Human Trust in Help-Desk Processes Weak Authentication for Third-Party Access Lack of Multi-Factor Authentication (MFA) for Vendor Logins
Motivation
Financial Gain Disruption Data Theft (Presumed)
Impact
Financial Loss: £300 million (estimated lost operating profit) Online Shopping Platform Click-and-Collect Operations Supply Chain Systems Inventory Management Store Stocking Systems Extended suspension of online orders (weeks) Partial halt of click-and-collect services Empty shelves in physical stores Supply chain disruptions Inventory mismanagement Loss of customer trust Conversion Rate Impact: Significant (customers unable to place orders) Revenue Loss: £1 billion+ (market capitalization wiped out) Customer Complaints: Widespread (due to unfulfilled orders and stock shortages) Brand Reputation Impact: Severe (damaged reliability perception, competitive disadvantage)
Response
Incident Response Plan Activated: Yes (though details undisclosed) Suspension of online orders Partial halt of click-and-collect services Isolation of compromised systems (presumed) Contract termination with TCS for help-desk services Review of third-party access controls Enhanced authentication for vendor logins (presumed) Restoration of online shopping platform Rebuilding supply chain operations Customer communication campaigns Public disclosure of incident Statements to MPs (UK Parliament) Investor updates Media responses Enhanced Monitoring: Likely (though not explicitly stated)
Lessons Learned
Vendor access equals attack surface; third-party personnel and processes must be treated as part of the cyber footprint. Social engineering (e.g., impersonation of help-desk staff) remains a critical vulnerability, bypassing technical defenses. Outsourcing does not absolve the client of accountability for cybersecurity, regulatory compliance, or business continuity. Contract renewal timelines should account for cyber risk assessments, especially for high-access vendors. Transparency in incident communication is essential to mitigate reputational damage and stakeholder speculation. Retailers must map 'critical vendors' and integrate them into cybersecurity strategies, not treat them as peripheral suppliers. Disruptions to digital platforms (e.g., online shopping) can have immediate bottom-line impacts, including market share loss to competitors.
Recommendations
Implement stricter authentication for third-party vendor access (e.g., MFA, behavioral biometrics). Conduct regular audits of vendor cybersecurity practices, especially for help-desk and privileged access roles. Develop incident response playbooks specifically for third-party breaches, including clear communication protocols. Integrate vendor risk management into enterprise cybersecurity frameworks, treating critical suppliers as extensions of internal systems. Enhance training for help-desk staff to detect and resist social engineering attacks (e.g., impersonation, phishing). Review outsourcing contracts to include cybersecurity SLAs, liability clauses, and breach response obligations. Adopt zero-trust principles for vendor access, minimizing standing privileges and enforcing least-privilege access. Monitor dark web and underground forums for signs of compromised vendor credentials or targeted attacks.
Investigation Status
Ongoing (as of July 2025; TCS maintains no compromise of its systems)
Customer Advisories
M&S notifications about service disruptions Apologies for order delays and stock shortages
Stakeholder Advisories
M&S updates to investors and MPs TCS communications to clients and media
Initial Access Broker
Entry Point: TCS help-desk staff credentials (impersonation/social engineering) M&S online shopping platform Supply chain systems Inventory management
Post Incident Analysis
Over-reliance on third-party vendor (TCS) for critical help-desk access without sufficient safeguards. Lack of robust authentication (e.g., MFA) for vendor logins, enabling credential theft via impersonation. Inadequate segmentation between M&S systems and TCS help-desk access, allowing lateral movement. Social engineering vulnerabilities in help-desk processes (e.g., scripted password resets). Complex outsourcing ecosystem with elevated third-party access, increasing attack surface. Termination of TCS help-desk contract (though M&S claims unrelated to breach). Likely review of all third-party access controls and authentication mechanisms. Potential adoption of zero-trust architecture for vendor access. Enhanced monitoring of help-desk activities for anomalous behavior. Reevaluation of outsourcing strategies to balance cost savings with cyber risk.
References
JANUARY 2025
497
Breach
100
critical -397
HARMAR1773319278Incident Details -
Type
Identity Breach
Attack Vector
Social Engineering
Vulnerability Exploited
Account recovery workflows (password resets, MFA re-enrollment, help-desk recovery requests)
Impact
Brand Reputation Impact: High Identity Theft Risk: High
Data Breach
Personally Identifiable Information: Likely
Lessons Learned
Recovery workflows must be designed for adversarial conditions. High-risk actions should trigger step-up verification, and self-service resets must preserve identity assurance rather than weaken it. Recovery processes are rarely treated as high-risk security events, creating a systemic flaw in identity security.
Recommendations
1. Treat recovery workflows as high-risk security events. 2. Implement step-up verification for high-risk actions. 3. Preserve identity assurance during self-service resets. 4. Redesign recovery processes to account for modern adversarial tactics like AI-driven impersonation and social engineering.
Post Incident Analysis
Root Causes: 1. Recovery processes rely on outdated assumptions (e.g., trust in human judgment, static knowledge-based questions). 2. Identity assurance is treated as disposable during recovery. 3. MFA effectiveness collapses during recovery due to weak verification requirements.
References
Ransomware
100
high -397
MARCOL1772024134Incident Details -
Type
Ransomware
Vulnerability Exploited
Vulnerabilities in global digital infrastructure
Motivation
Financial profit
Impact
£300 million (Marks & Spencer) Colonial Pipeline disruption Operational Impact: Crippling operations
Data Breach
Data Encryption: Files encrypted
Post Incident Analysis
Root Causes: Exploitation of vulnerabilities in global digital infrastructure
References
Ransomware
100
critical -397
MARASAJAG1771331989Incident Details -
Type
Ransomware
Attack Vector
Unpatched vulnerabilities Weak/reused passwords Missing multi-factor authentication (MFA) Social engineering AI-driven phishing Deepfake impersonation Misconfigured cloud/AI tools
Vulnerability Exploited
Unpatched systems Misconfigured deployments Excessive user permissions Legitimate account compromise
Motivation
Financial gain
Impact
Financial Loss: Average ransom demand of $1.3 million, with over 50% exceeding $1 million Operational Impact: Severe long-term operational and financial damage
Data Breach
Data Encryption: Yes (ransomware-related)
Lessons Learned
Over 80% of attacks stem from misconfigured or unpatched systems. Stronger security fundamentals (patching, MFA, monitoring) can significantly reduce risks. Prevention is more cost-effective than reacting to attacks.
Recommendations
Patch vulnerabilities promptly Enforce multi-factor authentication (MFA) Monitor for unusual account activity Secure board-level investment for proactive measures Avoid paying ransoms to break the cycle
Post Incident Analysis
Poor cyber hygiene Expanding attack surfaces (cloud, AI, remote work) AI-driven tactics (phishing, deepfakes) Social engineering (e.g., ClickFix) Unpatched vulnerabilities and misconfigurations Improve patch management Enforce MFA and least-privilege access Enhance monitoring for lateral movement Secure AI and cloud deployments Invest in employee training for social engineering awareness
References
DECEMBER 2024
525
Cyber Attack
495
critical -30
DAVCAECHAPOWKASFILMARSOLNAS1770898846Incident Details -
Type
Ransomware
Attack Vector
Supply Chain Attack Phishing Exploiting Unpatched Systems AI-Driven Attacks Vishing
Vulnerability Exploited
Known flaws in outdated software Zero-day vulnerabilities
Motivation
Financial gain Extortion Data theft Operational disruption
Impact
62M students and 9.5M teachers (PowerSchool) 5.6M patient records (Yale New Haven Health) 1TB of data (NASCAR) 2.7M patients' health data (DaVita) 193M victims (Change Healthcare) 16.6M customers (LoanDepot) Healthcare Fuel distribution Retail Identity security Education Casino operations Loan services Disrupted loan services (LoanDepot) Service disruptions and revenue losses (Ingram Micro) Profit drop (Marks & Spencer) 90% profit drop (Marks & Spencer) $18M class-action lawsuit settlement (Yale New Haven Health)
Data Breach
Student records Teacher records Patient health data Corporate data 62M 9.5M 5.6M 1TB 2.7M 193M 16.6M High Yes Yes (in some cases) Yes
Regulatory Compliance
Class-action lawsuit (Yale New Haven Health)
Post Incident Analysis
Unpatched systems Phishing Supply chain vulnerabilities AI-driven attacks
References
JUNE 2024
498
Cyber Attack
471
critical -27
MAR5032050110325Incident Details -
Type
Cyber Attack Data Breach Fraud (Deepfake) Ransomware
Attack Vector
Phishing Deepfake Impersonation Ransomware Social Engineering Exploitation of Human Weaknesses
Vulnerability Exploited
Human Error Lack of Multi-Factor Authentication (MFA) Insufficient Employee Training Weak Access Controls
Motivation
Financial Gain Data Theft Reputation Damage
Impact
Financial Loss: $25M (Hong Kong Deepfake Fraud); Undisclosed for Marks and Spencer Disruption of Critical Applications Potential Loss of Customer Trust Regulatory Scrutiny High (Marks and Spencer CEO initiated timely communications to mitigate damage) Long-term Trust Erosion Risk
Response
Incident Response Plan Activated: Likely (Marks and Spencer CEO initiated communications; incident response retainers mentioned as best practice) Cloud Backup Providers (e.g., Amazon, Google, Microsoft) Specialist Third-Party Backup Services Incident Response Retainers CEO-Led Transparent Communication Cloud Backups for Data Recovery Employee Training on Deepfake/Phishing Prioritization of Critical Applications (e.g., Payroll, Supplier Payments) Third-Party Support for Restoration Timely Digital Communications by CEO (Marks and Spencer) Transparency with Regulators/Investors Early Detection Technologies for Threat Identification
Regulatory Compliance
Regulatory Notifications: Likely (Transparency with regulators emphasized as best practice)
Lessons Learned
Humans remain the weakest link in cybersecurity; advanced training (e.g., deepfake/phishing awareness) is critical. Proactive cyber resilience requires board-level engagement and accountability. Operational continuity relies on robust backups (cloud + third-party) and clear prioritization of critical systems. Transparent, timely communication with stakeholders (customers, investors, regulators) is essential to mitigate reputational damage. Third-party incident response retainers and cybersecurity providers can accelerate recovery and reduce burnout.
Recommendations
Elevate cybersecurity to a board-level imperative with designated expertise (e.g., Virtual CISO). Implement multi-layered defenses: MFA, adaptive behavioral WAFs, network segmentation, and enhanced monitoring. Conduct regular simulations of cyber incidents to test response plans and recovery timelines. Invest in employee training programs that address emerging threats (e.g., deepfakes, social engineering). Establish incident response retainers for immediate access to expert assistance during breaches. Maintain separate third-party backups of cloud data to ensure rapid recovery of critical applications. Develop a communication strategy that prioritizes openness and honesty within 48 hours of an incident.
Customer Advisories
Transparency about breach impact and remediation steps (Marks and Spencer)
Stakeholder Advisories
CEO-led digital communications (Marks and Spencer) Regulatory reporting (emphasized as best practice)
Initial Access Broker
Phishing Emails Deepfake Impersonation (Hong Kong Case) Financial Systems (e.g., CFO impersonation) Customer Data Critical Applications
Post Incident Analysis
Human Error (e.g., falling for deepfake/phishing) Inadequate Training Lack of Proactive Threat Detection Enhanced employee training on emerging threats. Implementation of third-party backup solutions. Board-level cybersecurity accountability. Adoption of early detection technologies.
References
FEBRUARY 2024
711
Ransomware
463
critical -248
MAR847071225Incident Details -
Type
Ransomware
Attack Vector
Phishing, Impersonation
Vulnerability Exploited
Unauthorized system access via help desk
Motivation
Financial gain
Impact
Financial Loss: £300 million ($403 million) Virtual machines Contactless payments Click-and-collect Online ordering Downtime: Seven weeks Operational Impact: Online business taken offline Revenue Loss: £300 million ($403 million)
Lessons Learned
Employees should be trained to recognize and report cyber threats promptly. Organizations should foster a culture of transparent and timely communication of cyber threats.
Recommendations
Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately.
Initial Access Broker
Entry Point: Help desk
Post Incident Analysis
Root Causes: Employee impersonation and unauthorized system access Corrective Actions: Improve employee training and foster a culture of transparent communication
References
JUNE 2023
797
Ransomware
700
critical -97
MAR1662016090825Incident Details -
Type
Unauthorized Access Attempt Ransomware Attack
Attack Vector
Phishing MFA Bombing SIM Swapping Exploitation of IT Help Desks
Motivation
Financial Gain (ransomware)
Impact
Back-office systems (Co-op) Call centers (Co-op) Servers (M&S, encrypted) Online ordering systems (M&S) App-based ordering (M&S) Partial (Co-op back-office/call centers) 6+ days (M&S clothing/home orders) Disruption to call centers (Co-op) Paused clothing/home orders (M&S) Limited food product availability (M&S) Potential reputational damage (both companies) Disruption during peak summer demand (M&S)
Response
Yes (Co-op: proactive steps) Yes (M&S: systems taken offline) National Cyber Security Centre (NCSC) National Crime Agency (NCA) Metropolitan Police Cyber Crime Unit Yes (M&S: Metropolitan Police investigating) Likely (Co-op: not explicitly stated) Shut down back-office/call center systems (Co-op) Offline systems (M&S) Working to reduce disruption (Co-op) Public statements (both companies)
Data Breach
Yes (M&S servers encrypted)
Regulatory Compliance
U.S. prosecutors charged 5 alleged Scattered Spider members (November 2023)
Investigation Status
Ongoing (NCSC, NCA, Metropolitan Police involved)
Customer Advisories
Public statements confirming operational status (Co-op) No specific advisories mentioned (M&S)
Initial Access Broker
IT help desks (via social engineering) M&S servers (encrypted)
Post Incident Analysis
Social engineering (MFA bombing, SIM swapping, phishing)
References
JANUARY 2023
795
Cyber Attack
765
critical -30
THEBARHSBLLONATMAR1774391436Incident Details -
Type
IT outage Cyber threat
Motivation
Financial gain Disruption
Impact
Systems Affected: Banking services, customer access to funds Downtime: 803 hours (33 days) Operational Impact: Service disruptions, inability to access funds Brand Reputation Impact: Erosion of public trust in financial institutions
Response
Remediation Measures: Investing hundreds of millions of pounds to bolster IT systems Communication Strategy: Public apologies from executives (e.g., Barclays UK CEO Vim Maru)
Regulatory Compliance
Regulatory Notifications: Treasury Committee inquiry into banking resilience
Lessons Learned
Businesses should assume a cyberattack is a matter of *when*, not *if*. The financial sector must prioritize cybersecurity investments and resilience planning.
Recommendations
Increase investment in IT systems, enhance monitoring and response capabilities, and prepare for inevitable cyber threats.
Post Incident Analysis
Root Causes: Escalating cyber threats, IT system vulnerabilities, and increasing sophistication of attackers Corrective Actions: Bolstering IT systems, increasing cybersecurity investments, and improving incident response planning
References
Frequently Asked Questions
What is the current A.I Rankiteo Cyber Score for Marks and Spencer ?
According to Rankiteo, the current A.I.-based Cyber Score for Marks and Spencer is 100, which corresponds to a Critical rating.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in March 2026 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in February 2026 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in January 2026 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in December 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in November 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in October 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in September 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in August 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in July 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in June 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 100.
What was Marks and Spencer’s A.I Rankiteo Cyber Score in May 2025 ?
According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 100.
What is the average per-incident point impact on Marks and Spencer’s A.I Rankiteo Cyber Score over the past 12 months ?
Over the past 12 months, the average per-incident point impact on Marks and Spencer’s A.I Rankiteo Cyber Score has been 0 points.
Where can I access detailed records of all cyber incidents associated with Marks and Spencer ?
You can access Marks and Spencer’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/marks-and-spencer.
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.
Where can I view Marks and Spencer’s profile page on Rankiteo ?
You can view Marks and Spencer’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/marks-and-spencer.
How accurate is the A.I Rankiteo Risk Scoring methodology ?
With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.