Police investigate Marks & Spencer cyber attack as chaos left shelves bare and online sales halted

30 April 2025, 14:11 | Updated: 30 April 2025, 14:21

The Metropolitan Police is investigating a cyber attack on Marks & Spencer after a hack caused chaos for the retailer, leaving shop shelves bare and online sales halted.

The force confirmed on Wednesday that officers from its cyber crime unit are investigating amid reports a hacking group known as Scattered Spider may have carried out the attack.

The criminal group reportedly involves British and American teenagers.

It comes after a cyber attack plunged the retailer into chaos last Monday, leaving the company battling the lasting impacts as the crisis dragged on.

The incident was thought to be driven by a ransomware attack which forced some of its internal processes offline.

This saw online sales halted for five days. Staff at a key logistics site were told to stay at home due to the continued disruption on Monday, and some stores were left with empty shelves.

Read more: Marks & Spencer cyber attack 'blamed on teenage hackers' with some shelves bare as retailer struggles to recover

Read more: Kneecap’s Eden Project gig cancelled in wake of 'kill Tory MPs' remarks

A Metropolitan Police spokesman said: “We were called on Wednesday April 23 regarding a cyber incident at Marks & Spencer.“

Detectives from the Met’s cyber crime unit are investigating. Inquiries continue.”

The National Cyber Security Centre said it is also working with the retailer “to support their response to a cyber incident”.

Cyber security experts believe a hacking tool called DragonForce may have been used to carry out the breach, according to the Telegraph.

Read more:

Analysts at Secureworks have referred to Scattered Spider as a “group whose loosely affiliated members’ motives are ostensibly financial, but appear as much driven by the desire to boost their reputations on underground forums as they are to make money”.

In an update to investors on Friday, M&S said that its product range was "available to browse online, and our stores remain open and ready to welcome and serve customers".

"We continue to manage the incident proactively and the M&S team - supported by leading experts - is working extremely hard to restore online operations and continue to serve customers well," it added.

The supermarket added that it is "working extremely hard" to restore its online operations, with the retailer now forced to apologise to customers for the "inconvenience".

Around 200 workers who were due to undertake shift work company's main distribution centre in Castle Donington in the East Midlands have been urged not to come in, according to Sky News.

They reportedly make up around 20% of the site's workforce, a source close to M&S told the outlet. M&S staff are still understood to have been told to come in as normal, although the retailer declined to comment further.

When will M&S be back online?

As it stands, the cyber attack is still causing huge waves of devastation across the company with no signs of their digital shopping returning to business. Orders and returns online are currently suspended.

At present, bosses are unable to give a time frame as to when online shopping can resume and have said: "We are working very hard to get operations back online."

Returns are also impacted by the cyber attack with customers told to head to their local stores and find the designated till to return items. You can also return via the post.

Marks and Spencer's Food Hall are currently not accepting returns. Anyone with a gift card will also be unable to use them until matters are resolved.