Social Engineering Used to Breach M&S Systems
A cyberattack on Marks & Spencer (M&S) has raised concerns over digital security in the UK retail sector. Sources told BleepingComputer that threat actors allegedly used social engineering to reset an employee password and access internal systems. The tactics mirror those used in other recent attacks on retailers. It also isn’t a method of infiltration exclusive to retail. As you might imagine, their stock has been negatively impacted, down 4.66% in trading today.
Marks & Spencer Hack Raises Concerns About Retail Cybersecurity
In a joint blog post, the UK’s National Cyber Security Centre (NCSC) highlighted growing threats to retail. Jonathon Ellison, National Resilience Director, and Ollie Whitehouse, Chief Technology Officer, noted a surge in ransomware and extortion.

“Cyber criminality, including extortion and ransomware, is one of the most pervasive cyber threats,” they warned in the NCSC blog.
NCSC Urges Retailers to Strengthen Defences
The NCSC acknowledged media speculation linking the incidents to the group “Scattered Spider.” These attackers may have tricked helpdesks into resetting passwords and bypassing MFA protections.
In the wake of the M&S hack, the agency urged all organizations to take immediate steps:
- Review password reset processes.
- Enforce comprehensive multi-factor authentication.
- Monitor unusual login activity.
- Prioritise protection for admin accounts.
The NCSC is still investigating. It hasn’t confirmed if this was a coordinated campaign or separate incidents. It stressed that strong defenses are not always enough.
Retailers are advised to follow NCSC guidance and share attack data through sector groups. This includes recommendations on malware mitigation and incident response.
In their most recent statement, M&S said, “Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping.”
Other News: UK Cyber Insurance Industry Unites to Combat Ransom Payments(Opens in a new browser tab)