M&S cyber attack linked to hacking group Scattered Spider but who are they?

30 April 2025, 11:09 | Updated: 30 April 2025, 12:58

Who are Scattered Spider and how did they hack Marks and Spencer? Here's everything you need to know about the huge M&S cyber attack.

M&S has suffered the blows of a huge cyber attack in the past week and now hacking group Scattered Spider are being linked to it.

The high street giant famous for it's fashion and Food Hall has suffered almost a week of financial lost and widespread disruption as all online orders and transactions have been forced to cease while many Marks and Spencer shops themselves are seeing empty shelves.

Since Friday 25th April, all M&S online orders, including the website and app, were stopped, causing the company to lose hundreds of thousands in sales. Not only that, but the cyber attack has seen the brand lose half a million in value in the stock markets too.

• READ MORE: Marks & Spencer ‘cyber incident’ hits shops’ contactless payments and affects online orders
• READ MORE: When will M&S be back online? Everything we know about the cyber attack so far

As investigations behind the significant attack continue, it's emerged hacking group Scattered Spider could be behind the M&S chaos, although it has been said it's impossible to confirm exactly who the hackers are.

Who are hacking group Scattered Spider?

A collective group of cyber attackers, Scattered Spider have gained themselves quite a reputation in the hacking world and are even linked to system attacks on other huge companies such as MGM Resorts and US casino brand Caesars, costing them millions.

Scattered Spider are said to be a cybercriminal group who typically targets large companies and their IT desks.

Also known as Octo Tempest, they are thought to be unusual because they are English and American, with many groups like this typically being based in Russia.

Previous Scattered Spider findings have said participants in this group are surprisingly young, in their mid-20s, with some as young as 16.

Why would a hacking group like Scattered Spider attack M&S?

It's believed a hacking group encrypted important Marks and Spencer systems using ransomware - a technique which means companies are forced to consider a ransom to be able to unlock their systems once again.

Tim Mitchell, a senior security researcher at Secureworks, told The Guardian: "Their motivation appears to be as much about bragging rights on those channels [where they communicate] as about money.”

How do Scattered Spider operate?

In the M&S case, hackers would have had to gain access to systems which they would have done using phishing emails, imposing as an M&S employee or even SIM swapping.

BleepingComputer has suggested M&S data was stolen as far back as February which would have helped them gain access to important systems. It's said they used this information to gain access to the main server before implementing the ransomware.

What is the Marks and Spencer latest?

As expected M&S are still very much suffering the blows of the cyber attack. Currently shoppers can only browse online but shopping in store should be operating as normal. There are still some on-going difficulties such as gift cards not being accepted.

If you are looking to do returns, this can only happen at designated tills in clothing and homeware stores or via the post. Those shopping in the Food Hall may still see empty shelves and will be unable to do any returns.