M&S Reveals Social Engineering at the Heart of Devastating Cyberattack
British retailer Marks & Spencer (M&S) has confirmed that a sophisticated social engineering attack was responsible for the ransomware breach that crippled its operations earlier this year. Speaking before the UK Parliament’s Business and Trade Sub-Committee, M&S Chairman Archie Norman detailed how attackers gained initial access through impersonation tactics, exploiting both internal and third-party vulnerabilities.
This admission not only sheds light on one of the most high-profile retail cybersecurity incidents in recent years but also highlights the growing threat of human-centric attack vectors like impersonation and phishing in the corporate world.
How Hackers Got Inside the M&S Network
The breach occurred on April 17, when cybercriminals executed what Norman described as a “sophisticated impersonation” of one of the 50,000 individuals working with M&S. The attackers reportedly tricked a third-party helpdesk, allegedly operated by Tata Consultancy Services, into resetting an internal employee’s password.
“They didn’t just walk up and say, ‘Change my password,’” Norman explained. “They had the credentials. They appeared to be someone they were not.” This deception granted them access to M&S’s internal systems, paving the way for a larger ransomware operation.
DragonForce: The Group Behind the Attack?
For the first time, M&S publicly named DragonForce as the threat actor responsible. The ransomware gang, believed to be operating from Asia or possibly Russia, is not to be confused with the similarly named DragonForce Malaysia, a hacktivist group reportedly unrelated to this case.
Cybersecurity outlet BleepingComputer first reported that the attack was executed by affiliates of Scattered Spider, who then deployed the DragonForce ransomware across M&S systems. As part of the widely used double-extortion model, the gang not only encrypted data but allegedly stole around 150GB of sensitive information.
How M&S Responded: Systems Shut Down, Negotiators Brought In
In an effort to contain the threat, M&S shut down its internal systems to prevent further spread of the ransomware. However, the damage was done. Several VMware ESXi servers were encrypted, and the attackers had already exfiltrated data.
Despite no public leaks so far on DragonForce’s data extortion site, sources suggest this could either mean a ransom was paid or negotiations are ongoing.
When questioned directly about ransom payments, Norman refrained from confirming specifics, instead stating that “professionals were brought in” to handle the matter. “We didn’t engage with the threat actors ourselves. We let specialists take over,” he told the committee.
Why This Attack Matters: A Wake-Up Call for Corporate Security
This incident reflects a growing trend where social engineering becomes the primary point of entry—not malware or brute-force attacks. With attackers now targeting human behavior and leveraging third-party relationships, traditional cybersecurity defenses are no longer enough.
Moreover, the breach emphasizes the risks of outsourcing critical support roles like helpdesks to external vendors. Even if M&S had secure internal protocols, the weakest link in the chain became the attacker’s open door.
Conclusion: Rethinking Cybersecurity in the Retail Sector
The M&S ransomware attack is a sobering reminder that even large, well-established corporations are not immune to cyber threats. As ransomware tactics evolve and social engineering becomes more effective, companies must invest not just in technology, but in employee training, vendor oversight, and contingency planning.
With over 150GB of stolen data still unaccounted for, and no clear confirmation on whether a ransom was paid, M&S’s experience underscores the urgency for transparency, collaboration with authorities, and proactive security measures in the age of digital extortion.
