Marks & Spencer cyber attack 'blamed on teenage hackers' with some shelves bare as retailer struggles to recover

29 April 2025, 13:09 | Updated: 30 April 2025, 11:40

The cyber attack on major retailer M&S has been linked to 'teenage hackers' as the department store chain battles to recover from the widespread disruption.

The hack which caused Marks & Spencer to halt online sales for five days has been linked to a 'teenage hacking' group.

Experts advising the British retailer with the fallout of the cyber attack believe a criminal gang known as Scattered Spider may be involved in the breach, according to sources.

The criminal group reportedly involves British and American teenagers.

It comes after a cyber attack plunged the retailer into chaos last Monday, with the company still battling the lasting impacts as the crisis drags on.

The incident, thought to be driven by a ransomware attack, forced some of its internal processes offline.

All orders placed via the M&S website and app were halted last Friday as the knock-on effects of the cyber attack continued.

Read more: Marks & Spencer ‘cyber incident’ hits shops’ contactless payments and affects online orders

Read more: Woman unfairly dismissed from Marks and Spencer because she was pregnant

'Underground forums'

As the supermarket battles to recover from the attack, stores have been left with empty shelves, according to images shared on social media.

The retailer is working with cyber security experts from CrowdStrike and Microsoft. It is also reportedly working with GCHQ’s National Cyber Security Centre and the National Crime Agency.

Cyber security experts believe hacking tool DragonForce may have been used to carry out the breach, according to the Telegraph.

Analysts at Secureworks have referred to Scattered Spider as a “group whose loosely affiliated members’ motives are ostensibly financial, but appear as much driven by the desire to boost their reputations on underground forums as they are to make money”.

In an update to investors on Friday, M&S said that its product range was "available to browse online, and our stores remain open and ready to welcome and serve customers".

"We continue to manage the incident proactively and the M&S team - supported by leading experts - is working extremely hard to restore online operations and continue to serve customers well," it added.

The supermarket added that it is "working extremely hard" to restore its online operations, with the retailer now forced to apologise to customers for the "inconvenience".

In an update to investors on Friday, M&S said that its product range was "available to browse online, and our stores remain open and ready to welcome and serve customers".

"We continue to manage the incident proactively and the M&S team - supported by leading experts - is working extremely hard to restore online operations and continue to serve customers well," it added.

The supermarket added that it is "working extremely hard" to restore its online operations, with the retailer now forced to apologise to customers for the "inconvenience".

Yesterday, hundreds of agency workers who were due for shifts at Marks and Spencer (M&S) were told to stay home as the retailer continues to grapple with the chaotic impacts of last week's cyber attack.

Around 200 workers who were due to undertake shift work company's main distribution centre in Castle Donington in the East Midlands have been urged not to come in, according to Sky News.

They reportedly make up around 20% of the site's workforce, a source close to M&S told the outlet.

M&S staff are still understood to have been told to come in as normal, although the retailer declined to comment further.