Hackers went undetected in Marks and Spencer‘s systems for up to 52 hours before the alarm was raised in what insiders are describing as a ‘colossal mistake’.
Believed to have been from the Scattered Spider group, the attackers got into the retailer’s IT systems via a contractor.
The hackers were then able to work undetected in the systems for just over two days before finally being uncovered, a source said.
Once discovered, emergency response teams battled tirelessly to protect the beloved British store, frequented by up to 9.4million active customers, throughout a five-day ‘attack phase’.
‘What went wrong was human error. Human error is a polite word for somebody making a colossal mistake,’ a source told The Times.
In a statement to MailOnline, a spokesperson for M&S said: ‘We are working closely with government and law enforcement agencies and as you would expect we cannot share any detail or comment on speculation around the incident itself, since we first reported it, and we have been advised not to.
‘Our stores have remained open and availability is now in a much more normal place with stores well stocked this weekend.’
Three weeks on and teams are still working around the clock to get the online shop back up and running.
Hackers went undetected in Marks and Spencer’s systems for up to 52 hours before the cyber attack was finally exposed in what insiders have described as a ‘colossal mistake’
Empty shelves inside an Marks & Spencer store in Paddington, London, on April 29
Stock availability across stores is expected to return to normal next week
‘There’s people who haven’t slept for three nights,’ an insider said. ‘Getting back to where we really want to be is going to be weeks, not days, but we’ll have an online presence quite soon.’
It is understood that the M&S website could take weeks to go back online while stock availability across stores is expected to return to normal this weekend.
Since the attack, the British high street retailer is understood to have hemorrhaged £1billion of value on the stock exchange.
The retailer also admitted criminals have taken information including ‘masked’ payment card details used for online purchases – typically the last four digits of a card.
But M&S chief executive Stuart Machin clarified that although the hackers had taken personal data, this ‘does not include useable card of payment details’.
While it is unknown how many shoppers have been affected by the attack, several customers have reported an ‘exponential’ increase in the number of scam messages and emails received, pretending to be M&S.
In a letter to customers, M&S operations director Jayne Wall urged people to be cautious and avoid giving out any personal details to unknown callers.
She wrote: ‘Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared.
‘The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords.’
M&S chief executive Stuart Machin (pictured) clarified that although the hackers had taken personal data, this ‘does not include useable card of payment details’
The devastating attack comes as M&S await their annual results announcement on May 21. Pictured: empty food shelves in the attack’s aftermath
Customer data has not yet appeared on leak sites, but experts have not ruled out that it could be a possibility
Ms Wall added: ‘You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.
‘Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.’
While customer data has not yet appeared on leak sites, experts have not ruled out that it could be a possibility, with Rafe Pilling, director of intelligence at Sophos, an IT security company stressing that hackers could be ‘leveraging data’ from the breach.
Comprising of predominantly British and American online hackers, the Scattered Spider group are believed to have been responsible due to the attack’s pattern, alongside their use of DragonForce software to help the hackers break into the shop’s system.
The devastating attack comes as M&S await their annual financial results announcement on May 21.
A world away from the overwhelming success of their previous financial year, where they made a profit of £840million, M&S chief executive Stuart Machin, alongside chairman Archie Norman, are both set to face an abundance of questions about the company’s preparation for the attack.
Indeed, Dan Coatsworth, investment analyst at AJ Bell, warned that 2025 ‘is going down in history as one of the retailer’s worst ever years’.
Speaking to MailOnline, he added: ‘M&S has a duty to inform customers as soon as possible if their personal information has been illegally accessed, so it’s worrying that the retailer took so long to go public.’
On May 2, the Information Commissioner’s Office said it was also looking into the attack, as well as a similar major incident involving M&S’ competitor, the Co-op
While stock is expected to return to Co-op stores this weekend, it is understood that it quickly pulled the plug on its computer system not long after receiving advice from M&S
While M&S shareholder Danny Wallace told The Times he felt ‘disappointed’ for the two businessmen, he accepted that ‘somebody has to have the blame’.
Meanwhile, Alan Woodward, University of Surrey cyber security professor, said that he believed the fact the store has still failed to reinstate their online sales, with customers having been unable to take any orders through the website or app since April 25, ‘suggests they were a little less prepared than maybe they should have been’.
Describing the attack as ’embarrassing, retail expert Richard Hyman believed that the retailer, which first opened for business in 1884, would no doubt ‘survive’ the financial implications of the attack, alongside any damage caused to its reputation.
On May 2, the Information Commissioner’s Office said it was also looking into the attack, as well as a similar major incident involving M&S’ competitor, the Co-op.
The business was forced to issue an apology to customers after hackers accessed and extracted members’ personal data, such as names and contact details, with it continuing to suffer availability problems as a result of the attack.
While stock is expected to return to Co-op stores this weekend, it is understood that it quickly pulled the plug on its computer system not long after receiving advice from M&S.
The National Crime Agency said: ‘We are working closely with our law enforcement partners to investigate. We are considering the incidents individually. However, we are mindful they may be linked and therefore this will remain under review.’
