Incident Response Spotlight: Marks & Spencer Ransomware Crisis
Incident Overview
In July 2025, Marks & Spencer (M&S), one of the UK's biggest retailers, fell victim to a ransomware attack attributed to the Scattered Spider group. The breach originated through a third-party vendor, not M&S directly, underscoring the dangers of supply chain compromise.
Attackers infiltrated via phishing and social engineering, escalated privileges using employee credentials, and deployed Warlock ransomware. The incident triggered massive operational disruptions across stores, online platforms, and logistics– and caused an estimated £300M loss in profits and £750M drop in market value
Incident Response Timeline
| Phase | Key Action |
|---|---|
| Detection | Attack surfaced over the Easter weekend; anomalies in vendor activity flagged; M&S systems began experiencing outages |
| Containment | Teams took systems offline, isolated impacted services, and shut third-party access paths. “3 a.m. emergency meetings” were convened to drive response strategy |
| Communication | M&S alerted law enforcement, engaged cybersecurity firms and Microsoft, and issued internal instructions to staff |
| Recovery | Infrastructure segmentation, employee access audits, and system restores began. Payment systems, order processing, and inventory portals were prioritized |
Root Cause & Key Learnings
- Vendor Risk Exposure: The breach stemmed from a trusted vendor's compromised system–not M&S's own perimeter.
- Social Engineering Tactics: Scattered Spider used phishing and helpdesk manipulation to bypass MFA, showing the sophistication of modern threat actors.
- Credential Weakness: Employee password misuse and OSINT-enabled reconnaissance facilitated lateral movement and privileged access.
ThreatGrid Incident Response Recommendations
- Vet Third-Party Vendors: Regularly audit vendor access, enforce MFA, and require contractual cyber insurance and incident response obligations.
- Strengthen Supply Chain Visibility: Maintain monitoring of external services and enforce zero trust access policies.
- Enforce MFA & Helpdesk hardening: Train staff to challenge unusual authentication requests–especially those simulating IT support.
- Conduct Tabletop Drills: Simulate supply chain attack scenarios to test incident readiness.
- Activate a Formal IR Plan ASAP: Your response plan should define roles, escalation paths, forensic actions, communication protocols, and compliance reporting workflows.
- Post-Incident Review: Analyze root causes, implement corrective actions, and update policies and training curricula.
Under laws like GDPR, HIPAA, and CIRCIA, breach notification timelines are tight–typically withing 72 hours–making a well-rehearsed IR plan a legal as well as technical imperative.
Final Thought
The M&S case is a textbook example of how attackers can subvert trusted networks via vendor relationships–leading to cascading impact across entire businesses. Automated defenses are important, but organizational resilience depends equally on threat-aware culture, vendor governance, and an up-to-date, practiced incident response strategy.
🛡️ Want to run an external audit on your vendor IR protocols or schedule your first tabletop simulation? ThreatGrid can help you design it.
