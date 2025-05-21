Marks and Spencer (M&S) leadership believes that it may take at least another month to fully recover following a ransomware attack that it now looks likely will cost it at least £300m.

It has also emerged that the incident may have begun through the systems of a third-party supplier of IT services, where tech support staff had their credentials stolen via social engineering, according to CEO Stuart Machin.

The admission that the attack began via social engineering lends credence to the theory that the Scattered Spider hacking collective is indeed behind the attack. The gang has previously used similar techniques against other targets.

According to Reuters, the initial target of the cyber attack may have been Tata Consulting Services (TCS), which runs the M&S IT helpdesk. Pushed by reporters on this on results day, Machin declined to state if this was accurate, and Computer Weekly understands TCS has also made no comment.

Nor did Machin reveal whether or not M&S has paid off its attackers, stating advice from incident responders.

He did, however, say that M&S has heavily invested in cyber tooling in the past 24 months which may have helped it spot and respond to the attack quicker. He also said M&S had not “left the door open” to its hackers.

“Over the Easter bank holiday it became clear that we were facing a highly sophisticated and targeted attack,” said Machin in a prerecorded video accompanying the retailer’s latest results. “We called in several cyber experts and assembled the best support team including technology partners and notified the authorities immediately.

“As a result we were able to take control of the situation very quickly and take the right actions to protect the business, our customers, our suppliers, and keep our shops empty and trading. This meant proactively taking down some of our systems which resulted in short-term disruption – but we think that was the right thing to do.”