A Phone Call, 46 Days, and £300 Million: Reconstructing the Breach That Brought Down M&S

This is a story about two timelines.

The first is short. A phone call, likely lasting a few minutes. Someone impersonating a Marks and Spencer employee contacted the retailer’s third-party IT service desk, run by Tata Consultancy Services. The caller requested a password reset. The help desk agent followed the verification process and granted the request.

The second timeline is long. It stretches from that initial access, believed to have occurred as early as February 2025, through the Easter weekend disruptions in April, the ransomware detonation on April 24, the 46-day suspension of online orders, and the months of recovery that followed. By the time M&S quantified the damage, the number was approximately £300 million in lost operating profit. The company’s market capitalization dropped by more than £500 million. Four people were eventually arrested.

The gap between those two timelines is the entire story. A few minutes of social engineering. Months of consequences. And a verification process that could not tell the difference between a real employee and someone pretending to be one.

The Call

The precise details of the social engineering call have not been made fully public. What we know comes from a combination of M&S’s own disclosures, reporting by BleepingComputer, Reuters, and the Financial Times, and statements from the UK’s National Crime Agency and National Cyber Security Centre.

M&S Chairman Archie Norman confirmed that attackers impersonated an M&S employee and contacted the service desk run by TCS. The service desk carried out a password reset. According to BleepingComputer, the attackers also requested that MFA be disabled on the targeted account.

The group behind the attack, assessed by investigators to be Scattered Spider, is known for exactly this method. Their operatives are native English speakers, many of them young, who study corporate jargon, IT service management workflows, and the specific verification questions that target organizations use. They do not sound like outsiders. They sound like employees who happen to be having a frustrating day.

The CISA advisory on Scattered Spider (AA23-320A) documents their standard approach: impersonate an employee or IT staff member, contact the help desk, request a credential reset or MFA bypass. The call is designed to sound routine. The verification questions are answered correctly because the information needed to answer them is publicly available. The agent follows the protocol because the protocol was satisfied.

From the help desk agent’s perspective, this would have looked like an ordinary call. An employee needing access. Verification questions answered. Request processed. Ticket closed.

That ticket became the entry point for one of the most disruptive retail cyberattacks in British history.

February to April: The Quiet Phase

According to BleepingComputer and subsequent forensic analysis, the attackers may have first infiltrated M&S’s systems as early as February 2025. The initial access, gained through the compromised credential, gave them a foothold. What followed was a patient, methodical escalation.

During this period, the attackers exfiltrated the company’s NTDS.dit file. This is the core Active Directory database, the file that stores password hashes for every domain user in the organization. With this file in hand, the attackers could crack those hashes offline, extracting cleartext credentials for a range of accounts without triggering any alerts inside the network.

Active Directory is the nervous system of a Windows enterprise environment. It controls who can access what and under which conditions. Compromising it is the equivalent of stealing the master key ring for every door in the building. The attackers now had valid credentials. They could move laterally through the network. They could escalate privileges. And they could do all of this looking, to the system, like legitimate users.

For roughly two months, they worked inside M&S’s infrastructure. The company’s security tools did not detect the intrusion during this dwell period. This is consistent with Scattered Spider’s documented tradecraft: they use valid credentials rather than malware for lateral movement, which makes their activity harder to distinguish from normal operations.

While M&S employees went about their daily work, the attackers were mapping the network, identifying critical systems, and positioning themselves for the next phase.

Easter Weekend: The First Cracks

On April 19, the Easter long weekend, customers across M&S’s 1,049 UK stores began noticing problems. Contactless card payments failed at some locations. Click and Collect orders could not be retrieved. Gift card services went down. The issues appeared intermittent and inconsistent, the kind of thing that could be mistaken for a routine technical problem.

On April 22, M&S issued a formal statement to the London Stock Exchange. The company acknowledged a “cyber incident” but stressed that stores remained open and that its website and app were still operational. It reported the breach to the National Cyber Security Centre and brought in external specialists. At this point, M&S publicly assured customers that their data was safe.

Behind the scenes, the situation was far more serious than the public disclosure suggested.

April 24: The Ransomware Detonation

On April 24, two days after the public disclosure, the attackers activated their payload. DragonForce ransomware was deployed across M&S’s VMware ESXi hosts, encrypting critical servers across the infrastructure.

The timing was not accidental. The Easter weekend had thinned staffing. The initial disclosure on April 22 had set an expectation that the situation was being managed. The ransomware detonation arrived when the organization was already stretched and partially reassured.

On April 23, the day before the encryption, M&S CEO Stuart Machin received a message from the DragonForce group via a compromised employee email account. The message confirmed that M&S had been breached and that the attackers controlled its systems. The ransomware note followed a classic double-extortion pattern: pay to decrypt your systems, and pay again to prevent the release of stolen data.

On April 25, M&S suspended all online purchases through its website and mobile app. For a retailer that generates roughly one-third of its UK clothing and home sales through digital channels, this was an enormous operational hit. The company was losing an estimated £3.8 million per day in online revenue alone.

The 46 Days

What followed was a slow, grinding recovery that stretched from late April through mid-June.

With its automated ordering and inventory management systems encrypted, M&S reverted to manual processes. Staff tracked fresh food and clothing supplies with pen and paper. Shelves went partially bare. Approximately 200 warehouse workers were placed on partial furlough as distribution systems remained offline.

On May 5, BleepingComputer reported that the Scattered Spider attackers had posed as employees or IT personnel, contacting M&S’s service desk to request password resets and MFA disabling. This was the first public confirmation of the specific social engineering vector.

On May 13, roughly three weeks after the initial disruption, M&S notified customers that personal data had been stolen in the attack. The compromised information included names, dates of birth, addresses, telephone numbers, and purchase histories. M&S stated that no financial data, payment card details, or account passwords were accessed.

On May 21, the National Crime Agency formally acknowledged that Scattered Spider was a key focus of the investigation. That same day, M&S brought its website back online in a read-only capacity. Customers could browse but not buy.

On June 10, after 46 days of suspended online sales, M&S resumed taking orders for some clothing lines. Full recovery continued through July.

In July, M&S ended its IT service desk contract with Tata Consultancy Services after a partnership spanning more than a decade. Both parties described the decision as part of a standard procurement process. Also in July, the NCA announced the arrest of four individuals suspected of involvement in the M&S and Co-op attacks.

In its annual results presentation, M&S disclosed approximately £300 million in lost operating profit attributable to the breach. The Cyber Monitoring Centre, an independent body established by the UK insurance industry, classified the M&S and Co-op attacks as a single combined cyber event with a total financial impact estimated between £270 million and £440 million.

What the Numbers Do Not Capture

The financial figures tell one version of the story. The operational reality tells another.

For six and a half weeks, M&S store staff worked without the automated systems they relied on daily. Inventory tracking, stock replenishment, order fulfillment, and customer service workflows all reverted to manual processes. Employees who had been trained on digital systems found themselves managing supply chains with paper logs and phone calls. Customer-facing staff fielded questions they could not answer about order status, delivery timelines, and service restoration.

Approximately 200 warehouse workers were placed on partial furlough as distribution operations stalled. These were not corporate executives or IT staff. They were the people furthest from the breach and most directly affected by its operational consequences.

The customer data notification, when it came on May 13, added another layer. Millions of M&S customers learned that their names, addresses, dates of birth, phone numbers, and purchase histories had been exposed. M&S emphasized that no financial data was taken, but the reputational damage was already compounding. Trust in a 141-year-old retail brand does not break in a day, but it can erode over 46 of them.

And then there is the question nobody in the public reporting has answered: what happened to the help desk agent who processed the original reset? Their name has not been published. Their experience has not been documented. But somewhere in this story is a person who followed a process, did what they were trained to do, and became the unwitting entry point for £300 million in damage. If the pattern from other Scattered Spider incidents holds, that person’s career trajectory changed the moment the forensics team traced the breach back to their ticket.

Not an Isolated Incident

M&S was not the only target. In the same period, UK retailers Co-op and Harrods both reported cyberattacks using similar tactics. The CMC classified the M&S and Co-op attacks as a single combined event, suggesting coordinated or sequential targeting by the same group.

Before the UK retail campaign, Scattered Spider had already demonstrated this playbook in the United States. The MGM Resorts breach in September 2023 began with a social engineering call to the company’s IT help desk. The Caesars Entertainment breach, disclosed the same month, followed a similar pattern. In both cases, the initial access came through impersonation and credential reset, not through technical exploitation.

By mid-2025, Google’s Threat Intelligence Group reported that Scattered Spider had shifted its targeting to major US insurance companies, applying the same methodology to a new industry vertical. The group rotates sectors, but the core technique remains constant: call the help desk, satisfy the verification protocol, and walk through the front door.

The consistency of this pattern is itself the argument. This is not a one-off failure at a single organization. It is a systemic vulnerability in how enterprises verify identity over the phone. Every company that relies on knowledge-based verification at its help desk is running the same protocol that failed at M&S, at MGM, and at Caesars. The only variable is whether Scattered Spider, or someone who has studied their methods, decides to call.

What the Verification Protocol Could Not Do

Strip away the ransomware, the Active Directory compromise, the lateral movement, the data exfiltration, and the 46 days of operational disruption. Go back to the beginning. Go back to the phone call.

An attacker impersonated an employee. A help desk agent verified the caller using whatever protocol was in place. The protocol was satisfied. The reset was granted. Everything that followed was a consequence of that moment.

The agent did not fail. The protocol did not detect that the caller was not who they claimed to be. It asked questions, and the caller answered them. The same outcome has been documented at MGM Resorts, at Caesars Entertainment, and at dozens of other organizations targeted by the same group using the same method.

Scattered Spider does not defeat verification protocols. They satisfy them. This is the distinction that matters, and it is the distinction that most post-incident analyses still do not adequately address.

The group’s operatives succeed because knowledge-based verification assumes that the answers to its questions are private. They are not. LinkedIn profiles, corporate websites, conference bios, SEC filings, data broker sites, and social media posts collectively provide enough information to answer most standard help desk verification questions for any named employee at any public-facing organization.

Add AI voice cloning to the mix, and the problem deepens further. The Pindrop 2025 Voice Intelligence and Security Report documented a 680% year-over-year increase in deepfake voice activity. Modern tools can generate a convincing voice clone from a few seconds of publicly available audio. Scattered Spider has demonstrated awareness of this capability.

The help desk agent at TCS who processed the reset was operating a verification system that could not reliably distinguish a legitimate employee from a well-prepared impersonator. The system asked the right questions. It got the right answers. And it processed a reset that opened the door to £300 million in damage.

The Arithmetic of a Phone Call

Consider the proportions.

The social engineering call likely lasted a few minutes. The attacker’s research time, based on Scattered Spider’s documented methodology, was likely measured in minutes as well. The total cost to execute the initial access was effectively zero.

The resulting damage: £300 million in lost operating profit. More than £500 million in market capitalization loss. 46 days of suspended online sales. Customer data exposed for roughly 65,000 staff and millions of customers. Manual operations across 1,049 stores. Warehouse furloughs. A terminated vendor contract. Four arrests. Regulatory scrutiny. Months of reputational repair.

The return on investment for the attacker, measured in damage-per-minute-of-effort, is staggering. There is no other attack vector in enterprise security that offers this ratio. A single phone call, answered by a well-meaning agent following a protocol that could not do what it was designed to do, produced cascading failure across one of the UK’s largest retailers.

This is not a story about a sophisticated technical exploit. No zero-day vulnerability was used. No advanced malware was required for initial access. The attacker picked up a phone, answered some questions, and walked through the front door.

The sophistication came later, in the lateral movement and the ransomware deployment. But the entry point was a conversation. And the only thing that could have stopped it was a verification system that did not rely on the conversation to determine identity.

What the Verification System Should Have Required

If the help desk had required the caller to verify their identity through an out-of-band challenge on their physical device, the password reset would not have been granted. The caller could have known every answer to every question. They could have sounded exactly like the employee they were impersonating. None of it would have mattered.

Out-of-band, device-bound identity verification moves the proof of identity out of the phone call entirely. The verification happens on a device the attacker does not possess, through a channel the attacker does not control. The help desk agent is no longer making a judgment call about whether the caller sounds right. The system makes the determination using something that cannot be researched, rehearsed, or cloned.

This is the architectural fix. Not better training for help desk agents, though training is valuable hygiene. Not more knowledge-based questions, though reducing unnecessary exposure of personal data is good practice. The fix is removing the decision from the communication channel where the attacker operates and placing it in a channel where only the legitimate employee can respond.

The technology exists today. Identity Impersonation Detection systems verify callers through government-issued ID on devices, with protections against SIM swaps, man-in-the-middle attacks, and replay attempts. No pre-registration is required. The verification happens in the moment, outside the call.

M&S has since ended its service desk contract with TCS and engaged external cybersecurity specialists to rebuild its defenses. The company has not publicly disclosed what changes it has made to its help desk verification process.

A Few Minutes and a Few Questions

The M&S breach will be studied for years. It will appear in CISO presentations, in board risk briefings, in insurance underwriting models, and in security awareness training modules. The numbers are too large and the method too simple for it to be ignored.

But the lesson that matters most is the one at the very beginning, before the ransomware, before the Active Directory compromise, before the 46 days of darkness.

Someone called a help desk. They answered some questions. They got a password reset.

The questions were the right ones to ask in a world where the answers were private. That world is gone. The questions remain. And organizations that have not updated their verification architecture to account for this reality are running the same protocol that failed at M&S, at MGM, at Caesars, and at every other company where Scattered Spider has picked up the phone.

The call took a few minutes. The damage will take years to fully measure. The fix is architectural. And it starts with a question that most organizations still have not answered: when someone contacts your help desk and says they are who they claim to be, what exactly do you have that proves it?

Sources

M&S Annual Results Presentation (2025) · M&S London Stock Exchange Disclosure (April 22, 2025) · BleepingComputer M&S Breach Reporting (April-June 2025) · Reuters M&S Cyberattack Coverage · Financial Times M&S/TCS Reporting · UK National Crime Agency Statements (May-July 2025) · UK National Cyber Security Centre Advisory · CISA Scattered Spider Advisory AA23-320A (updated July 2025) · Pindrop 2025 Voice Intelligence & Security Report · Cyber Monitoring Centre Classification Assessment (June 2025) · Archie Norman Public Statements on M&S Breach