M&S Ransomware Attack: Customer Data Stolen by DragonForce

Marks & Spencer Confirms Customer Data Stolen in Easter Ransomware Attack

British retail giant Marks & Spencer (M&S) has officially confirmed that personal customer information was exfiltrated during a sophisticated ransomware attack that struck over the Easter holiday period. The incident, claimed by the DragonForce ransomware group, has forced the retailer to suspend online purchases — a disruption that remains in effect as recovery efforts continue. The breach represents one of the most significant cyberattacks targeting a major UK retailer in recent years.

What Data Was Compromised?

In a filing submitted to the London Stock Exchange and a concurrent notice published on its website, M&S disclosed the categories of personal information that were taken. The scope of the stolen data is broad and affects a large portion of the retailer's customer base.

Full names and home addresses
Email addresses and phone numbers
Dates of birth
Online order history
Household information
Masked payment card details used for online purchases
Customer reference numbers (for M&S credit card and Sparks Pay holders)

M&S was careful to clarify that no usable payment card data or account passwords were included in the breach. The retailer does not store full payment card numbers, which limits the immediate financial fraud risk. However, the volume and sensitivity of the remaining personal data creates significant downstream risks for affected customers.

DragonForce: The Group Behind the Attack

The DragonForce ransomware group has claimed responsibility for the M&S breach, and the group's activity does not end there. The same threat actor also claimed attacks against fellow UK retailers Co-op and Harrods in what appears to be a coordinated campaign targeting high-profile British brands. DragonForce operates as a ransomware-as-a-service (RaaS) group, providing attack infrastructure and malware to affiliated threat actors in exchange for a share of ransom proceeds.

The targeting of multiple major retailers in quick succession suggests a deliberate focus on the UK retail sector, potentially exploiting shared vendor relationships, similar IT environments, or insider knowledge of the industry's attack surface.

M&S Response: Password Resets and Customer Warnings

Following discovery of the breach, M&S took immediate steps to contain the incident. The company proactively reset passwords for all customer accounts, meaning users will be prompted to create a new password upon their next login to M&S.com. The retailer has also begun directly notifying affected customers via written communication.

Despite asserting that no immediate action is required from customers — since passwords and usable payment details were not stolen — M&S issued a pointed warning about secondary threats:

"Customers may receive fraudulent emails, calls, or text messages impersonating M&S. Treat such communication with caution and never share your personal account information or passwords."

This advisory reflects an understanding that the real danger from this type of breach often materialises weeks or months later, in the form of targeted phishing and social engineering campaigns.

The Phishing Risk: Why Stolen Personal Data Is So Dangerous

While the absence of payment credentials is reassuring, security experts warn that the stolen dataset is precisely the kind of information cybercriminals use to craft convincing, personalized attacks. Joe Jones, CEO and founder of Pistachio, explained the threat landscape clearly:

"The exposed personal details will likely be used or sold on the dark web to aid social engineering attacks. With this kind of context, attackers can craft convincing, tailored scams that appear legitimate — from fake delivery updates to bogus account notifications. We often see this kind of breach followed by a wave of personalized phishing attempts."

Armed with a victim's name, address, order history, and email address, a threat actor can construct highly believable impersonation emails that reference specific recent orders or delivery events. This dramatically increases the likelihood that a target will click a malicious link or surrender additional credentials. Customers with M&S accounts should remain vigilant for:

Emails claiming to be from M&S requesting password resets or account verification
SMS messages about parcel deliveries referencing real order details
Phone calls from individuals claiming to be M&S customer service representatives
Any communication that creates urgency around account security or payments

Operational Impact: Online Sales Still Down

Beyond the data breach itself, the operational fallout from the ransomware attack has been severe. M&S was forced to suspend online purchases following the incident, and this capability remained unavailable at the time of the company's official disclosure. For a retailer of M&S's scale, prolonged e-commerce downtime represents substantial revenue loss and reputational damage — a calculated pressure point that ransomware operators routinely exploit to accelerate ransom negotiations.

The attack's timing over the Easter holiday period — a peak shopping window for UK retailers — suggests the threat actors deliberately chose a moment when the impact would be maximized and incident response resources potentially stretched thin.

Lessons for Retailers and Security Teams

The M&S breach underscores several persistent vulnerabilities that affect the retail sector broadly. Large retailers aggregate enormous volumes of customer personal data, making them high-value targets. Key takeaways for security professionals include:

Data minimization matters: M&S's decision not to store full payment card numbers limited the breach's financial impact. Organizations should regularly audit what sensitive data they retain and purge what is not operationally necessary.
Ransomware preparedness must include business continuity: The suspension of online sales highlights the need for resilient backup systems and tested recovery procedures that can maintain critical revenue channels during an incident.
Customer communication is a security function: Proactive, transparent disclosure combined with clear guidance reduces the window in which attackers can exploit confusion among victims.
Third-party risk extends to shared threat actors: The co-targeting of M&S, Co-op, and Harrods by the same group suggests sector-wide threat intelligence sharing could provide earlier warning signals.

Conclusion

The Marks & Spencer ransomware attack is a stark reminder that even well-resourced, security-conscious enterprises remain vulnerable to sophisticated threat actors. While M&S moved quickly to reset credentials and notify customers, the stolen data — names, contact details, order histories — will persist as a tool for fraud and phishing campaigns long after the immediate incident is resolved. Customers should treat any unsolicited M&S communication with skepticism, and security teams across the retail sector should treat this incident as a prompt to stress-test their own ransomware defences and data retention practices.