‘M&S are totally f-----.' How hackers wreaked havoc on the high street

Yahoo

03-05-2025

'It has messed our big day up and is causing stress,' said Carly Jane. 'It is a cake I have always loved.' The 35-year-old bride-to-be from Kent was lamenting an unfortunate situation days before her wedding. She and her future husband, Edward Church, had ordered two personalised giant caterpillar cakes from Marks & Spencer: a Colin and a Connie, to serve as their wedding cakes.
Colin, an eternally larval chocolate log, is perhaps the most famous branded cake in the UK, beloved of young, old and birthday-celebrating colleagues alike. While regular and bite-size versions are available in-store, M&S also offers large versions through their website.
But thanks to the crippling cyber-attack which has left the M&S website down for more than a week, leaving the retailer unable to fulfil its orders, Carly and Edward are heading towards marital life without a Colin or Connie to see them off.
'I cannot understand why they cannot get us one,' Carly told The Sun. 'Their bakers are there. The ovens haven't stopped.'
The attack on M&S, which was first reported on Easter Monday, was followed by similar attacks on the Co-op on April 29 and Harrods on April 30. These are only the ones we know about; the vast majority of such incidents never make it to the papers.
'The number of cyber attacks is going up inexorably,' says Professor Alan Woodward, a professor of cyber crime at the University of Surrey. 'There must be hundreds a day on organisations like M&S. Most will bounce off, but you only need one to get through. That's what we're seeing with Co-op and Harrods too.'
While even a giant, personalised Colin will only set you back £50, the combined cost to British business of the attacks is stretching towards a billion pounds when taking in the nosedive in M&S's share price, the fall in its profits and the impact on the Co-op and Harrods. The knock-on effects may be greater still, as other retailers take measures to protect themselves from the carnage that has engulfed their competitors.
The usual view of this kind of cyber crime is that it is something that happens to other people. The Hollywood-endorsed stereotype is that hackers are angry lone-wolf young men in basements who target faceless government agencies or financial institutions: a menace, certainly, but not something that affects ordinary people week to week.
The reality is that cyber attacks today are sophisticated operations run by groups of well-organised criminals, who can target large but vulnerable institutions in the hope of extracting huge ransoms. The National Cyber Security Centre's website states that 76 per cent of large organisations have had some kind of cyberattack in the past year. Cybercrime is thought to cost the UK more than £27 billion per year.
While it can be hard for customers to sympathise with attacks on large corporations, when it affects high-street retailers they feel the effects at once. Carly and Edward are among thousands of shoppers who have been affected by the M&S outage. The website processes nearly £4 million worth of business per day, but the crisis has affected in-store business, too. Shelves have been left empty and contactless payments systems have been down, while some of M&S's 65,000-strong workforce have been unable to use certain IT systems from home. The share price has fallen almost nine per cent, with the company losing more than £700 million in value since the attack.
Data from Similarweb, a digital market intelligence company, showed visitor numbers to M&S's website had fallen by 18 per cent in the week to April 28 versus the seven days prior to roughly 715,000 per day. Most customers have been unable to check out or complete their orders.
At the retailer's branch in Chelsea on Friday, one shopper, Lucinda Glassey, 55, said that she had been unable to pick up her son's school uniform on Easter Monday.
'I had to leave the store without buying anything and come back the next day,' she told The Telegraph. 'It was quite annoying. I also had a click and collect for my son's school uniform which got cancelled. That was stressful because I needed it there and then. I really feel for M&S because I am quite loyal to them but many other customers will leave.'
Meanwhile users on X posted pictures of empty shelves in some M&S branches but curiously overstocked ones in others, the result of operations having seemingly gone haywire.
M&S was the first of three high-profile British retailers attacked in under a fortnight. On Wednesday, the Co-op said it had shut down parts of its IT systems after hackers tried to gain access. Social media users reported that the Co-op app was not working; the retailer replied to say they were working on fixing it.
Harrods, meanwhile, said that it had restricted internet access at the company's sites after attacks, although its online and physical shops were working as normal.
In a statement issued on its website, the marquee brand said it had 'experienced attempts to gain unauthorised access' to some of its systems, adding that its 'seasoned IT security team' immediately took steps to keep the firm safe and its flagship store and other outlets open to customers.
If a cyber attack is tedious for customers, that is nothing next to the flat-out panic it can induce in businesses. Initially, M&S sought to put a brave face on the incident, even as IT teams scrambled in the background to work out which systems had been compromised.
After contactless systems went down over the Easter weekend, Stuart Machin, the M&S chief executive, said it had been necessary 'temporarily [to] make some small changes' to protect shoppers. On the front line, workers were struggling to get systems running. 'Bloody nightmare,' wrote one worker on a Reddit thread dedicated to the crisis. 'We weren't able to put any new things out [on the shelves] because we couldn't get any labels to print.' At head office, though, its technology team was facing a bigger problem. IT experts were racing to understand the extent of the ransomware attack. Systems were initially taken down so tech teams could focus solely on stopping the assault.
Bosses now believe they are through the first wave. The focus has turned to repairing and recovering IT systems, as experts assess the scale of the damage. In some cases, insiders say the retailer will be forced to simply replace computer systems. Last week, new 'workaround' systems were being rapidly rolled out that would allow M&S to start to get food supplies back up again. But the clear-up will take some time. The retailer is believed to be bracing for weeks of ongoing disruption. Online ordering systems – both those used by customers and businesses themselves – are particularly challenging to get back online because they rely so heavily on automation.
Machin said his team were working 'day and night' to resolve the problem and was 'really sorry' for the disruption, but he could not guarantee when online shopping would be up and running again.
Although the firm has kept its cards close to its chest, M&S employees have been posting on social media about the scale of the fallout. One said systems had been 'working in slow motion', while another said it was 'easier to list the things that work than the things that don't'.
'Technology is great when it works,' wrote one employee in West Bromwich. 'But when it doesn't, the whole world has a meltdown!'
The M&S attackers are reported to be a disparate group of teenage hackers called Scattered Spider. Unusually, they are a native English group, rather than from the former Soviet Union or North Korea, as is more often the case. Some experts believe this may have helped them gain access to the M&S system – via a phishing text or email – that let them take control.
'Native English authenticity can sometimes lead to an automatic sense of trust,' Nathaniel Jones, the vice-president of threat research at the cybersecurity firm Darktrace, told The Guardian. 'There is a level of perceived familiarity that might cause personnel or even IT teams to lower their guard slightly.'
Cyber crime of this kind is asymmetrical; all it takes is a single crafty teenager – and someone with a motive – to bring a FTSE-100 company to its knees. A cottage industry has arisen of coders who develop malicious software and sell it on to organised criminals, who can then use programmes to target whoever they please. As the ransomware is constantly evolving, the defences need to as well.
'You've got some very clever people creating the actual malicious software, probably only a few hundred who can do that, and then crime gangs will come along and hire it out as a service,' says Alan Woodward. 'You can buy toolkits on the dark web [a harder to trace version of the internet favoured by criminals]. The level of technical understanding you really need to use it is very limited. That's the reason these attacks are increasing. Why take the risk walking into a bank with a sawn-off shotgun when you can do this?'
AI expert Durgan Cooper, chairman of tech solutions provider CETSAT, who has advised the House of Lords on cybersecurity, says AI is making attacks even easier. 'AI is lowering the barrier to entry for more complex attacks,' he says, adding that AI is shortening the time needed for hackers to work out a system's vulnerabilities, after they have gained initial access. At present there is an average of 180 days between access and attack.
The assault on M&S follows the increasingly typical pattern of ransom attacks. A hacking group will use malicious software to seize control of a company's computer systems, scrambling data and in effect 'locking' the system until a ransom is paid, usually in the form of Bitcoin or other cryptocurrency which cannot be traced.
At the simplest level this can be a hacker taking hold of a small business or even an individual's social media account and demanding money to return it. Small business owners, for whom social media can be a vital source of customers, are frightened into paying the cost.
'You feel total total panic,' says Tobias Vernon, of the moment hackers seized the Instagram account of his interiors boutique and gallery, 8 Holland Street, 18 months ago. 'Our Instagram account and a few pieces of press coverage are basically our whole reputation. A few hundred thousand pounds a year of sales are from Instagram. The direct loss would have been massive.'
After agonising over what to do, he transferred $2,000 in Bitcoin to an unknown account and eventually had the site returned to him. A few months later he was contacted by the owner of a cafe in Sydney which had been targeted by the same criminals, asking – perversely – for him to assure her that her account would be returned if she paid, like a kind of criminal TripAdvisor review. 'I said 'I hate to say this, but personally, we did get our account back',' Vernon recalls. ''So if it's valuable to you, I recommend paying'.'
The principle scales up. Businesses of all sizes are faced with a choice. They can pay up, write off the cost and hope the criminals stick to their word. Authorities advise companies not to do so, and the number shelling out has fallen, with many preferring to delay instead. In 2019, between 70 and 80 per cent of companies paid out during ransomware attacks, according to cyber insurance provider Resilience. Last year, it was just 30 per cent.
Still, many have paid. The IT company Capita estimates that its response to a ransomware breach in 2023 cost it between £20-25 million. That does not appear to have involved paying a ransom.
In May 2021, it was reported that the American insurance giant CNA had paid more than $40 million in ransom after attackers stole information and encrypted its network. In June of that year, the meat-packing company JBS said it paid the equivalent of $11 million to hackers REvil, a Russian group, after a cyber attack temporarily halted all its cattle-slaughtering operations in the US.
'This was a very difficult decision to make for our company and for me personally,' said Andre Nogueira, then CEO of JBS USA, about the payment. 'However, we felt this decision had to be made to prevent any potential risk for our customers.'
Alternatively, firms can battle on, accepting the risk that the hackers will call their bluff and release damaging information. In 2021 REvil targeted the Harris Federation, a group which runs 55 schools in London and the south-east.
'It was an absolute nightmare,' Sir Dan Moynihan, who runs the Federation, told the BBC. 'Their purpose was to blackmail us into paying $4 million (£3 million) in cryptocurrency within 10 days. If we didn't pay in 10 days, they wanted $8 million.'
Rather than pay up, Moynihan employed a group of cyber-crime specialists including a hostage negotiator. It took three months, and a cost of £750,000 to get his systems working again. But he said there was no question of handing over money intended for disadvantaged young people, and besides if they had paid they would have opened the door for other school groups to be attacked.
Whichever route you take, there is then the matter of rebuilding your systems and safeguarding them against future attack. At least one major supermarket is understood to use 'penetration testers' or 'ethical hackers', who will regularly try to hack their systems to identify where potential gaps are. Asda last week told staff they were pushing through a forced update of IT systems to make sure all laptops were running the latest software. In a memo to staff who work from home, seen by The Telegraph, it said it was taking the step 'in light of recent security threats in the retail sector'.
Senior executives at M&S are understood to have been concerned over a lack of spending on IT and cybersecurity for some time. At an investor conference last November, Rachel Higham, M&S chief digital and technology officer, said there had been a 'decade of underinvestment' in IT. She said the company did not have enough in-house experts, with a 'critical internal knowledge gap'.
John Allan, the former chairman of Tesco, says cyber threats are a constant worry in boardrooms. While he was at the supermarket, in 2021, it took its website and app down in response to an attempted hack.
'You hope that people will realise there's a problem and if they can't solve it, they'll bring in help,' he says. It should be all hands to the pump. But, 'it's difficult because, of course, most hands haven't got a clue what to do'.
'I don't think any company on earth can make itself 100 per cent cybersecurity proof but you can take action to make it much more difficult for people to get in,' he adds. 'You hope you have the most difficult system to break into because the criminals tend to go for the softer option.'
This week, rival retailers were scrambling to understand what had happened at M&S – and how they could avoid a similar fate. 'The genuine assessment we're hearing is that they are totally f----ed,' one insider told The Telegraph. 'It's very much 'there but for the grace of god' for any of us.'
The rising costs of combatting cyber crime can have a dampening effect on overall business. Analysts at Deutsche Bank estimate M&S's profits will have taken a £30 million blow from the ongoing turmoil. The retailer insists that it has appropriate and comprehensive insurance in place.
The Deutsche Bank analysts say they expect such protection will cover the majority of the losses, but warn that policies are 'generally time limited so further costs will likely be incurred by M&S'.
There is a human cost to these attacks too, says Professor Danny Dresner, a cybersecurity expert at the University of Manchester.
'The M&S attacks will be traumatic for staff,' he adds. 'There will be the technical staff who have to work all hours … and the ones who will worry that it was them who clicked on something that took the company down.'
The practical solution, Dresner says, is greater vigilance and preparation. 'There are no silver bullets,' he cautions. 'But a combination of factors can help, all the way through to being able to cope when something bad happens.'
He emphasises the need for segmentation of systems, so that an attack on one part of the company does not bring down the whole thing. 'You've got to put in whatever protective measures you can.'
Running a company in 2025 is already a gauntlet of rising costs, staff shortages, tax increases and Donald Trump-induced uncertainty. Just as anyone shipping goods around the Horn of Africa must build the threat of pirate attack into their costs and insurance planning, large organisations must prepare for the risk of cyber attack.
Compared to public sector bodies, financial institutions and other high profile targets, retailers have been slow to realise that the endless whack-a-mole nature of cybersecurity is now a core business cost.
'Retail is considered to be a less mature market when it comes to the cybersecurity risk,' says Si West, a director of customer engagement at Resilience. 'Time and time again, we hear from chief information security officers that they just haven't got the budget. It's a classic sort of conundrum. That these teams won't get the budget until they actually get hit with a serious attack.'
Watching the costly chaos that has engulfed M&S, and threatened Harrods and the Co-op, other retailers will presumably be battening down the hatches. And whatever the security measures, ransoms will remain part of the price of doing business for the foreseeable future. British customers may find it difficult to quantify the threat of cyber crime, but they understand all too well the risk of a missing Colin the Caterpillar cake.
Additional reporting by Jim Norton
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.