VRN InnovationsVRN Innovations
All Posts
CybersecurityFeatured

M&S Ransomware Attack Cost £300M — How DragonForce Took Down a Retail Giant

The DragonForce ransomware group's April 2025 attack on Marks & Spencer caused a 46-day operational shutdown and £300 million in profit losses, exposing the real cost of social engineering.

adminMarch 18, 2026
RansomwareCybersecurityRetail
Ransomware attack cybersecurity

The April 2025 ransomware attack on Marks & Spencer — a 141-year-old British retailer with 65,000 employees and 1,400+ stores — stands as one of the most financially devastating cyberattacks on a retail business in history.

The attack vector: social engineering a contractor

DragonForce didn't break through M&S's perimeter with a sophisticated exploit. They manipulated a third-party IT helpdesk contractor (Tata Consultancy Services) through social engineering — obtaining credentials, then moving laterally through internal systems until they had the access needed to deploy ransomware.

46 days of operational chaos

From April 22 to June 10, 2025 — 46 days — M&S was forced to revert to pen-and-paper tracking for fresh food and clothing inventory. Automated ordering and stock management systems were completely offline. Customers experienced empty shelves, failed online orders, and disrupted loyalty programs.

The financial reckoning

The company disclosed a £300 million (~$400 million) hit to operating profit for its 2025/2026 fiscal year — entirely attributable to the cyberattack. For context, that's more than most mid-size companies generate in revenue in a year, wiped out by a single attack that began with a phone call to an IT helpdesk.

The lessons for every business

  • **Third-party risk is your risk.** Your security posture is only as strong as your weakest vendor. M&S's attacker never needed to touch M&S systems directly to gain a foothold.
  • **Operational resilience planning is non-negotiable.** Businesses that can't operate without their digital systems need documented, tested fallback procedures.
  • **Identity verification for privileged actions must be robust.** Social engineering works because helpdesks are trained to be helpful. Zero-trust identity verification protocols need to override that instinct for sensitive requests.

The M&S incident should be required reading for every CTO, CISO, and board member responsible for operational continuity.

More Posts

All Posts
Data breach cybersecurity concept

March 5, 2026

Odido Breach Exposes 6.2 Million Customers — A Wake-Up Call for Telecoms

Cybersecurity vulnerability and patching

April 17, 2026

Critical Zero-Days in nginx-ui, Fortinet, and Cisco Are Being Actively Exploited

Ransomware threat landscape 2026

April 10, 2026

Ransomware Q1 2026: 750+ US Organizations Hit Monthly, Victims Across 97 Countries

Want to Work Together?

We're always looking for ambitious projects to take on. Let's build something great.

No commitment requiredResponse within 24 hoursFree initial consultation