The British high street retailer has Marks & Spencer (M&S) has confirmed the financial and operational impact of its recent devastating cyberattack.

It was in late April when M&S confirmed that a cyberattack had forced it to resort to pen and paper for logistics, after it switched off its automated stock systems, and halted online orders.

The retailer later acknowledged that customer data had been stolen, and more recently Google researchers have warned the criminal gang that also hit the Co-Op and Harrods is also targeting American retailers and is likely to have links to the people who attacked MGM Resorts International and Caesars Entertainment casinos in 2023.

M&S cyberattack

GCHQ’s National Cyber Security Centre (NCSC) has recently warned UK retailers that the spate of attacks must act as a “wake up” call for them to bolster their cyber defences.

Now M&S in its full year results ending 29 March 2025, has admitted the financial impact of the cyberattack and how long its impact will continue to be felt on an operational level.

“Over the last few weeks, we have been managing a highly sophisticated cyber incident,” the retailer acknowledged. “As a team, we have worked around the clock with suppliers and partners to contain the incident and stabilise operations, taking proactive measures to minimise the disruption for customers.”

The firm said it is focused on recovery, restoring systems, operations and customer proposition, and since the cyberattack food sales have been impacted by reduced availability. The retailer has also incurred additional waste and logistics costs, due to the need to operate manual processes, impacting profit in the first quarter.

In Fashion, Home & Beauty, online sales and trading profit have been heavily impacted by the decision to pause online shopping, however stores have remained resilient, the firm stated, before adding “we expect online disruption to continue throughout June and into July as we restart, then ramp up operations.”

“Therefore, our current estimate before mitigation is an impact on Group operating profit of around £300m ($403m) for 2025/26, which will be reduced through management of costs, insurance and other trading actions,” said M&S.

US, UK hackers?

Meanwhile the BBC has interviewed the UK’s National Crime Agency (NCA), and it has named the notorious cyber-criminal collective Scattered Spider as a key part of their investigation.

The group is reportedly young (some are said to be teenagers) and they are known to be native English speakers, unlike the usual hacking suspects from Russia, North Korea and China.

“We are looking at the group that is publicly known as Scattered Spider, but we’ve got a range of different hypotheses and we’ll follow the evidence to get to the offenders,” Paul Foster, head of the NCA’s national cyber-crime unit, said in a new BBC documentary.

“In light of all the damage that we’re seeing, catching whoever is behind these attacks is our top priority,” he added.

The hacks have been carried out using DragonForce, a platform that gives cybercriminals the tools to carry out ransomware attacks.

“We know that Scattered Spider are largely English-speaking but that doesn’t necessarily mean that they’re in the UK – we know that they communicate online amongst themselves in a range of different platforms and channels, which is, I guess, key to their ability to then be able to operate as a collective,” Foster told the BBC.

Scattered Spider’s favoured attack vector is to reportedly exploit social engineering techniques to get IT helpdesk staff to click on a link, or reset a password.

Alleged hacker arrests

Scattered Spider was linked to high-profile attacks including on two US casinos in 2023 and Transport for London last year.

The alleged leader of Scattered Spider is a UK citizen Tyler Buchanan, who was arrested in Spain in June 2024 while attempting to board a flight to Italy, with Spanish police alleging he had in his possession Bitcoin worth $27m.

Noah Michael Urban was arrested in Florida 2024 for the cumulative theft of about $800,000 in cryptocurrency.

West Midlands Police aided the FBI in the arrest of a 17-year-old juvenile in Walsall in July of last year in connection with the casino hacks.

Remington Ogletree, 19, was arrested in California in November of 2024 on charges related to his alleged involvement in the group.