Marks & Spencer Locks Down Remote Access After Suspected Ransomware Attack Disrupts Online Sales

April 27, 2025 seanhackacademy

London, 27 April 2025 — British retail giant Marks & Spencer (M&S) has restricted virtual-private-network access for thousands of remote workers in an urgent bid to stop a fast-moving cyber-attack that continues to cripple its digital operations. The incident—strongly suspected to be ransomware—has forced the company to halt online orders, hindered contactless payments in stores and wiped roughly 4 percent off its share price since Tuesday.

How the Breach Unfolded

Weekend disruption: Service outages first emerged over the Easter weekend, affecting M&S’s website, mobile app and some in-store payment terminals.
Containment move: By mid-week, executives ordered the corporate VPN switched off, limiting staff log-in privileges to prevent the malware from moving laterally across internal networks.
Customer impact: Shoppers can only browse products online; purchases remain disabled. Click-and-collect customers must wait for “ready to collect” emails before travelling to stores.

The decision to sever remote connectivity is a standard first-line defence in ransomware containment, security specialists say. Without VPN tunnels, attackers lose an easy pathway from compromised endpoints into back-office systems such as inventory, finance and customer-data repositories.

Financial Stakes

Online sales are pivotal to M&S’s turnaround strategy. In the last fiscal year, web and app orders generated £1.3 billion, more than a third of its clothing-and-home revenue. Every day of downtime risks lost sales, fulfilment backlogs and reputational damage—especially during the crucial spring fashion cycle.

Parallel Costs and Precedents

Capita (2023): Ransomware clean-up and legal fees topped £25 million, before regulatory fines.
MGM Resorts (2019): A cyber incident cost the hotel chain US $100 million in losses and remediation.

Industry analysts warn M&S could face seven- or eight-figure remediation bills, third-party lawsuits and potential penalties from the UK Information Commissioner’s Office, which has been formally notified.

Next Steps in Incident Response

Forensic triage to determine intrusion vector—likely an employee credential phished or a third-party software exploit.
Network segmentation to isolate affected servers and block lateral movement.
Data-recovery protocol using offline backups to restore critical services.
Threat-intel collaboration with the National Cyber Security Centre and law enforcement to attribute the attack and discover any data exfiltration.
Customer outreach outlining protective steps if personal data was exposed.

Authorities continue to advise firms not to pay ransoms, yet many organisations privately negotiate cryptocurrency payments to restore operations and prevent data leaks.

Wider Retail Sector Warning

The incident underscores an escalating trend: ransomware crews are shifting from opportunistic encryption toward double-extortion—stealing data and threatening leaks—making retailers attractive targets due to vast troves of payment and loyalty information.

Cyber-risk consultants urge retailers to:

Enforce multifactor authentication on all remote connections.
Apply zero-trust segmentation between e-commerce, point-of-sale and corporate networks.
Conduct regular table-top exercises simulating ransomware scenarios.

Outlook

M&S has not confirmed ransom demands or the specific malware strain, but early indicators align with recent Russia-linked campaigns that exploit VPN credentials and deploy file-locking payloads within hours. With online revenues halted and recovery efforts ongoing, the company faces a race against time to restore full service before critical spring-summer trading peaks.

For now, consumers are advised to monitor email updates, expect delays in order fulfilment and beware of phishing scams that may mimic official M&S communications in the wake of the breach.

Photo Credit: DepositPhotos.com