When the Checkout Becomes an Empty Storefront: The Marks & Spencer Case
In April 2025, Marks & Spencer (M&S), one of the United Kingdom's most recognized retailers with over 140 years of history, had its digital operations severely compromised by a ransomware attack. According to information published by BleepingComputer, the attack was attributed to the Scattered Spider group and resulted in the shutdown of online order management systems. The company's e-commerce channel, which accounts for a significant share of its revenue, was offline for more than three consecutive weeks.
The estimated financial impact exceeds £300 million in losses, factoring in interrupted revenue, emergency operational costs, and brand reputation damage. Beyond the commercial paralysis, customer data was compromised — including contact information and order history — adding a significant regulatory dimension to the event, particularly under the European GDPR framework.
The M&S attack is not an isolated episode involving a large corporation far removed from your reality. It is a reminder that logistics and distribution chains, order management systems, and customer relationship platforms represent high-value attack surfaces for sophisticated criminal groups. According to IBM's Cost of a Data Breach Report 2023, ransomware attacks cost an average of $5.13 million per incident, excluding any ransom paid.
The question that matters is not whether your company is large enough to be a target. The question is: was your IT infrastructure built to survive an attack like this?
Vectors That Are Typically Behind Attacks Like This
The internal details of the M&S incident are not fully public, and any categorical claim about what happened behind the scenes would be speculation. What can be stated, based on documented patterns of ransomware attacks against organizations of similar size, is that certain vectors appear with disturbing frequency in these scenarios.
Social engineering and spear phishing. The Scattered Spider group is widely associated with advanced social engineering techniques, including vishing (voice phishing) and SIM swapping, as documented by the CISA (Cybersecurity and Infrastructure Security Agency) in November 2023. In attacks like these, a single employee convinced to provide corporate credentials or reset a privileged access account can be the entry point for the entire chain of compromise. A helpdesk employee who receives a convincing call from someone impersonating a colleague and resets a critical access password without proper verification, for example, can open a door that no firewall can close.
Compromised credentials and the absence of multi-factor authentication (MFA). Stolen corporate credentials are available on dark web marketplaces for prices ranging from $10 to $3,000, depending on the level of access they provide, according to data from Palo Alto Networks' Unit 42 Threat Report (2024). When an organization does not consistently implement MFA (Multi-Factor Authentication) across all critical access points — such as VPNs, administration panels, and collaboration tools — a single leaked credential pair is enough for an attacker to move laterally through the network without triggering immediate alerts.
Lack of proactive monitoring and late detection. Studies from Mandiant (now part of Google Cloud) indicate that the average dwell time of an attacker inside a corporate network before being detected is 16 days. In financially motivated attacks such as ransomware, this period is used to map the network, identify backups, escalate privileges, and position the payload before detonation. An infrastructure without continuous monitoring and intelligent alerting cannot see the fire forming. It only notices when everything is already in flames.
What Can Be Done to Protect Your Infrastructure
Endpoint protection with detection and response (EDR). EDR (Endpoint Detection and Response) is a security layer that goes beyond traditional antivirus solutions. While legacy solutions react to known malware signatures, EDR platforms monitor anomalous behaviors in real time — such as a process attempting to encrypt multiple files in sequence — and can automatically isolate the endpoint before the damage spreads. For operations with multiple access points, such as retailers, distributors, and companies with hybrid workforces, EDR represents the difference between a contained incident and a total shutdown.
Isolated, encrypted, and regularly tested backups. Backups connected to the same network as production systems are frequently the first targets of a ransomware attack. An effective strategy involves the 3-2-1-1 model: three copies of the data, on two different types of media, with one offsite copy and one immutable, isolated (air-gapped) copy. But there is a critical detail many organizations overlook: untested backups are not real backups. A recovery plan only has value if it is validated through periodic simulations that measure RTO (Recovery Time Objective, the maximum acceptable time to recover operations) and RPO (Recovery Point Objective, the maximum amount of data that can be lost).
Continuous patch management and multi-factor authentication. Unpatched vulnerabilities are the preferred entry point for automated attackers. In 2023, 38.6% of the breaches analyzed by Verizon in the Data Breach Investigations Report had vulnerability exploitation as the initial vector. Combining continuous patch management with mandatory MFA on all privileged access points dramatically reduces the available attack surface. MFA, when properly implemented, blocks 99.9% of attacks based on compromised credentials, according to Microsoft data published in 2023.
A documented and tested incident response plan. When an attack occurs, every minute without a clear protocol costs money and amplifies the damage. A documented incident response plan defines who does what, in what order, with which tools, and within what timeframe. Organizations with tested plans reduce the average cost of an incident by $1.49 million compared to those that do not, according to IBM. Having this plan designed in partnership with a managed IT provider ensures it is actionable in a real crisis — not just a document filed away in a compliance folder.
Questions Every Decision-Maker Should Be Asking Right Now
1. Would my backups actually work in a disaster like this? How quickly could my operations get back online?
2. Does my team have the right tools to identify and block an attack like this immediately, before it causes full-scale damage? How am I investing in the preparedness of my technical team?
3. How long could my company survive without access to its systems and files?
Would my backups actually work in a disaster like this? How quickly could my operations get back online?
This is the question that most reveals critical gaps in organizations of any size. Having backups configured is not the same as having recovery capability. Most companies have never tested a full restore in a production environment, which means the real RTO — that is, the actual time it takes to resume operations — is unknown until the moment it matters most. A backup strategy managed by a specialized partner includes not only the creation of isolated, immutable copies of critical data, but also periodic disaster simulations with documented recovery time metrics. If you do not know how many hours it would take for your operations to come back online, it is because that number has never been tested.
For operations with high transaction volumes — such as e-commerce, logistics, or distribution — every hour offline carries a direct and measurable cost. M&S went more than three weeks without e-commerce. For small and mid-sized businesses, a window even shorter than that may be enough to permanently compromise cash flow, contracts, and reputation.
Does my team have the right tools to identify and block an attack like this immediately, before it causes full-scale damage?
Late detection is the damage multiplier in any ransomware attack. Internal IT teams, even competent ones, rarely operate with continuous 24/7 monitoring, event correlation, and intelligent alerting. An attack that begins in the early hours of a Friday morning can traverse the entire network by Monday morning without being noticed. EDR tools combined with managed proactive monitoring create a visibility layer that transforms suspicious behaviors into actionable alerts within minutes, not days.
Technical team preparedness goes beyond tooling. Ongoing security training — including phishing simulations and incident response exercises — are documented components of risk reduction. IBM's Cost of a Data Breach Report 2023 indicates that organizations with active security training programs reduce the average cost of an incident by up to 18%. Investing in human preparedness is not an operational cost. It is an insurance policy.
How long could my company survive without access to its systems and files?
This question acts as an instant diagnostic of operational resilience. If the answer is "I don't know" or "a few hours," the existential risk is real and immediate. Organizations that are truly prepared for disaster scenarios know their operational limits with precision, because they have mapped them out in a business continuity plan integrated with their incident response plan. That plan defines priority critical systems for recovery, alternative communication chains, and tolerance windows by business area.
A managed IT partner with incident response capability can reduce the time between attack detection and the start of recovery from days to hours. The difference between a company that survives a ransomware attack and one that does not rarely comes down to the size of the attack. It comes down to the speed and organization of the response.
If your company does not yet have an integrated, layered protection strategy in place, consider conducting a Strategic IT Assessment, at no commitment, to identify vulnerabilities before they become headlines.