Why Was M&S Hacked? Cyberattack Explained & What Businesses Can Learn

Marks & Spencer (M&S) was targeted in a cyberattack in late April 2025, alongside Co-op and Harrods, due to a sophisticated combination of social engineering, third-party vulnerabilities, and credential exploitation.

The attackers gained access by impersonating IT support staff, exploiting weak links in recruitment platform integrations, and using techniques like MFA fatigue to bypass security controls.

Here’s what happened, who was behind it, and (most importantly) what you can learn to protect your own business.

What Happened?

Between late April and early May 2025, three of the UK’s most well-known retailers — M&S, Co-op, and Harrods — fell victim to coordinated cyberattacks. The incidents are part of a broader wave of targeted threats aimed at large, digitally integrated retail and logistics networks.

These breaches caused real-world disruption, from delayed deliveries to disabled hiring platforms, and underscored how vulnerable even the most established brands can be when targeted by organised cybercrime groups.

Who Was Behind the Attacks?

Cybersecurity investigators have linked the attacks to two notorious threat actor groups:

• Scattered Spider

• DragonForce

Both are highly organised cybercriminal syndicates known for targeting large enterprises, often using social engineering and third-party compromise to bypass perimeter defences.

How Did the Hackers Gain Access?

1.  Social Engineering & Impersonation

The attackers posed as IT support staff, reaching out to employees, particularly in HR and IT, via phone and email. Key tactics included:

• Spoofing internal phone numbers and email addresses

• Using data from LinkedIn and social platforms to build trust

• Creating urgency with fake “IT issues” to bypass internal protocols

The result? Staff were tricked into handing over login credentials or installing remote access software.

2.  Third-Party Vendor Compromise

Many large organisations rely on integrated third-party services, and that can be a hidden vulnerability. In this case:

• M&S’s breach reportedly stemmed from a recruitment platform integration, which exposed systems used for click-and-collect and digital payments

• Co-op’s attack was traced to compromised credentials belonging to a logistics vendor, providing unexpected backend access to internal systems

This technique is often referred to as a “supply chain attack”.

3.  Credential Stuffing & MFA Fatigue

Once the attackers had a foot in the door, they escalated their access by:

• Credential stuffing: Testing thousands of stolen usernames and passwords across internal systems

• MFA fatigue: Repeatedly triggering Multi-Factor Authentication (MFA) requests until a user, overwhelmed or misled, unintentionally approves access

These methods are increasingly common and effective against organisations relying solely on MFA as a final defence.

What Was Affected?

• Marks & Spencer (M&S):

  • Online order systems, payment platforms, and HR recruitment services experienced outages and delays. (Source)

• Co-operative Group (Co-op):

  • Disrupted deliveries, exposed customer data (names, contact details, partial loyalty card info). (Source)

• Harrods:

  • Detected intrusion early, responded by isolating backend systems and disabling internal internet access to prevent escalation. (Source)

Key Lessons for UK Businesses

These attacks aren’t just a retail problem — they’re a warning for any business that handles customer data, works with third parties, or supports remote access.

1. Train Your People to Spot Threats

Regular, role-specific cybersecurity awareness training helps staff recognise phishing, impersonation, and social engineering.

2. Build Resilience into Your Processes

• Implement strict procedures to verify internal requests

• Avoid sole reliance on verbal or email-based approvals

• Use secure IT service channels for support interactions

3. Harden Authentication Systems

• Enforce MFA everywhere — and use phishing-resistant methods like authenticator apps

• Monitor for unusual login behaviours or repeated MFA attempts

4. Audit Third-Party Access

• Maintain a clear inventory of vendors with access to your systems

• Review and restrict permissions regularly

• Ensure third-party vendors follow cybersecurity best practices

5. Prepare for the Inevitable

• Keep offline, encrypted backups of critical data

• Have a fully documented and regularly tested incident response plan

🔐 Don’t Wait Until You’re the Headline

Cyberattacks like the one that hit M&S don’t just happen to big brands — they happen to businesses of all sizes, every day. The tactics used in this breach are becoming more common, more targeted more effective.

✅ Not sure if your team could spot a social engineering attack?
✅ Unclear which third parties have access to your systems?
✅ No incident response plan in place?

We can help.

📞 Book a free cybersecurity assessment with our experts today and find out how vulnerable your business really is — before someone else does.

👉 Get started now →