Chairman Blames Cyber Group ‘DragonForce’ for M&S Security Breach

Marks & Spencer (M&S) chairman Archie Norman has confirmed that the ransomware attack disrupting the retailer’s online operations in April and May was orchestrated by the cybercriminal syndicate known as DragonForce, as revealed to U.K. lawmakers on July 8, 2025

• The attack began in late April, triggered by human error via a third-party service—believed to involve Tata Consultancy Services (TCS)—which provided initial system access to the hackers independent.co.uk+4digit.fyi+4thesun.co.uk+4.
• DragonForce deployed ransomware targeting VMware ESXi virtual servers, crippling M&S’s online ordering, click-and-collect functions, and even in-store contactless payments thetimes.co.uk+15infosecurity-magazine.com+15cybersecurefox.com+15.
• The breach forced M&S to suspend online shopping for six weeks across the UK, with operations only gradually resuming by mid-June cybersecurefox.com+15reuters.com+15mobileidworld.com+15.

Taunting Ransom Demand

• On April 23, M&S CEO Stuart Machin and several executives received an abusive ransom email from a hijacked TCS account, demanding payment via a darknet portal. The message declared: “We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.”
• The attackers referenced M&S’s cyber-insurance coverage and threatened to leak stolen data if demands weren’t met thetimes.co.uk+2digitalmarketreports.com+2digit.fyi+2.

Impact and Fallout

• The breach is projected to cost M&S around £300 million in lost profits, along with a decline in share value by over a billion pounds ft.com+15theguardian.com+15thetimes.co.uk+15.
• Though personal data of millions of customers (names, addresses, order history, phone numbers) was stolen, M&S asserts that payment information and passwords were not compromised reuters.com+15mobileidworld.com+15moneyweek.com+15.
• Recovery has been slow, with key features like click-and-collect still offline and full service restoration expected in August reuters.com+3moneyweek.com+3thetimes.co.uk+3.

About DragonForce

• DragonForce operates as a ransomware-as-a-service (RaaS) provider, leasing its toolkit to affiliates for a share of ransom proceeds digitalmarketreports.com+6infosecurity-magazine.com+6cybersecuritynews.com+6.
• The group has targeted major U.K. retailers in a coordinated wave, including Co‑op and Harrods, and is now widely attributed to the M&S breach independent.co.uk+4cybersecuritynews.com+4infosecurity-magazine.com+4.
• Cybersecurity experts note DragonForce affiliates often overlap with actors from the Scattered Spider collective, leveraging advanced social-engineering and RaaS models ft.com+10infosecurity-magazine.com+10cybersecurefox.com+10.

Response and Next Steps

• M&S declined to pay a ransom and is rebuilding systems from scratch, delaying full recovery but following government cyber guidance.
• The company has notified affected customers and mandated password resets, while monitoring for potential phishing or fraud attempts moneyweek.com+1mobileidworld.com+1.
• M&S is ramping up cybersecurity investments, conducting system audits, and working with law enforcement and national agencies to enhance future resilience .

The M&S cyberattack blamed squarely on DragonForce demonstrates the growing threat posed by RaaS groups capable of disrupting major corporations. With millions of customers impacted and hundreds of millions in losses, the case underscores the urgent need for strong cybersecurity protocols, rigorous third-party risk management, and real-time threat detection in modern retail.