Skip to content
technologyCybersecurityFinanceIncludingBusinessDetectivesFtseDisruptionHeadquartered

Market & Spark: Law enforcement examines cyber assault, causing FTSE 100 stocks to halt progress

Ongoing cyber assault on M&S under investigation by law enforcement, causing significant disturbance to the FTSE 100 retailer.

 and  Administrator
3 min read

Market & Spark: Law enforcement examines cyber assault, causing FTSE 100 stocks to halt progress

In the midst of mayhem, UK's Marks & Spencer (M&S) is grappling with a major cyber assault, as bogus hacking group Scattered Spider is under scrutiny by the Metropolitan Police. The ongoing cyber war against M&S has left the retail giant and its customers reeling, facing a continuous river of chaos.

Law enforcement officers from the Met's cyber crime unit are delving deep into the case after reports began swirling about Scattered Spider possibly pulling off the attack. M&S first sounded the alarm on the cyber attack last Tuesday, bringing in external cyber security experts to aid in the investigation and management of the incident. They also informed the relevant data protection supervisory authorities and the National Cyber Security Centre.

Initially, the assaulttargeted M&S's contactless payments and click and collect orders. The storm took a turn for the worse on Friday, prompting M&S to shut down orders via its website and app. Employees at a critical logistics site were told to stay home on Monday, and some stores were left bereft of goods on the shelves.

A Met Police spokesman confirmed the force's involvement: "We were called on Wednesday April 23 regarding a cyber incident at Marks & Spencer. Detectives from the Met's cyber crime unit are investigating. Inquiries continue." The National Cyber Security Centre is also lending a hand to the retailer "to support their response to a cyber incident."

The Met's investigation comes at a time when M&S's share price recovery has stalled following a recent upswing. M&S's share price plummeted from 411p to 383p upon revealing the cyber attack.

Elsewhere, The Co-op found itself in a similar situation, forced to shut off parts of its IT systems after an attempted hack. The Manchester-headquartered group has confirmed that some of its back office and call centre services have been affected. However, its stores, including grocery and funeral homes, remain operational.

It remains to be seen whether the hacks of the two retail giants are connected in any way.

The Backstory

  • First Appearance: The breach became apparent on 21 May. Online/app ordering was halted by 25 April. Distribution systems were still experiencing issues as of 30 April.
  • The Operational Tsunami
  • Workers at the East Midlands distribution centre were told to stay home.
  • Remote workers were obstructed from internal systems to contain the breach.
  • Store shelves have run empty due to distribution snarls.
  • The Financial Turmoil: M&S's market value tumbled by roughly £678m–£700m during the firestorm.

The Investigation

  • The Lawmen: The Met Police Cyber Crime Unit is spearheading the criminal investigation, with the National Cyber Security Centre backing them.
  • Attack Strategy: Hackers are suspected to have exploited Microsoft Active Directory, potentially Walker evading password files (though not plaintext credentials).
  • The Third-Party Troop: M&S has enlisted Microsoft, CrowdStrike, and Fenix24 to investigate and remediate the breach.

The Connection to Scattered Spider

  • Their Colors: An unruly US/UK collective of teenagers and young adults known for corporate attacks.
  • Suspected Participation: Sources suggest the group's involvement, with the initial access possibly dating back to February 2025.
  • The Ransom Mystery: Unverified reports buzz about a £10m ransom demand, though M&S hasn't confirmed this publicly.

The Remaining Struggles

  • Recovery Timeline: M&S has yet to provide a restoration date, stating only that customer intervention is unnecessary "unless the situation changes."
  • The Expert Insight: Cybersecurity experts cite the attack's sophistication, attributing the protracted recovery to Active Directory compromises, which necessitate meticulous system checks to prevent re-infection.
  1. M&S's share price plunge continued after the revelation, dropping from 411p to 383p, indicating a significant financial disruption.
  2. The National Cyber Security Centre is supporting M&S in their response to the cyber incident, aiding in the investigation and remediation of the breach.
  3. The suspected attack strategy involved the exploitation of Microsoft Active Directory, potentially bypassing password files, a disruption method not uncommon among cyber threats.
  4. M&S enlisted the help of third-party investigators, including Microsoft, CrowdStrike, and Fenix24, to probe the breach and facilitate the recovery process.
  5. The potential involvement of Scattered Spider in the M&S cyber attack dates back to February 2025, according to unverified sources, raising concerns about the group's disregard for corporate security in both the UK and US markets.
Ongoing Cyber Assault on M&S Under Investigation by Police as Business Suffers Significant Disruption within FTSE 100

Read also:

    Related

    Latest