Retail giant Marks & Spencer (M&S) has confirmed that its systems were breached in a targeted social engineering attack that ultimately led to a ransomware deployment by the DragonForce gang. The disclosure was made by Chairman Archie Norman during a UK parliamentary sub-committee hearing on economic security and cyberattacks in the retail sector.
The initial compromise occurred on April 17, when attackers successfully impersonated a member of M&S’s vast workforce—reportedly one of more than 50,000 individuals connected to the organization. Norman explained to lawmakers that the breach was the result of a “sophisticated impersonation” in which the attackers convincingly mimicked a real person’s identity to request a password reset via a third-party service provider.
“In our case, the initial entry… occurred through what people now call social engineering. As far as I can tell that’s a euphemism for impersonation,” Norman stated during the hearing.
The attackers are believed to have deceived Tata Consultancy Services (TCS), an IT outsourcing firm that provides help desk support for M&S. By impersonating an M&S employee, they allegedly convinced TCS to reset a password—giving the threat actors the foothold they needed to infiltrate the company’s network.
Once inside, the attackers deployed ransomware attributed to the DragonForce operation. While there has been confusion in public reporting between DragonForce ransomware and DragonForce Malaysia—a hacktivist group—sources confirmed the ransomware strain used is linked to the financially motivated DragonForce gang, believed to be operating from Russia.
This attack had ties to the Scattered Spider group, known for ransomware activity that often involves double extortion tactics. In M&S’s case, the attackers not only encrypted critical systems, including multiple VMware ESXi servers, but are also believed to have exfiltrated roughly 150GB of sensitive data.
In response to the attack, M&S took the drastic step of shutting down its systems to prevent further spread. Despite this, by the time containment efforts were underway, much of the damage had already been done.
The double extortion method used by DragonForce involves both encrypting the victim’s files and stealing data for additional leverage. While M&S has confirmed that data was stolen, the company has not appeared on DragonForce’s data leak site—suggesting that a ransom may have been paid, or that negotiations are still ongoing.
When questioned by MPs about ransom payments, Norman remained tight-lipped, stating:
“We took an early decision that nobody at M&S would deal with the threat actors directly. We felt that the right thing would be to leave this to the professionals who have experience in the matter.”
He confirmed that the matter had been fully disclosed to the UK’s National Crime Agency (NCA) and relevant authorities, but declined to discuss ransom payments publicly.
Attacks like this highlight the growing threat of supply chain compromise, particularly when third-party vendors hold the keys to enterprise IT systems. A single password reset request—if mishandled—can open the door to large-scale ransomware campaigns with significant operational and reputational fallout.
As ransomware groups continue refining their social engineering playbooks, the need for airtight identity verification protocols and system recovery safeguards becomes more urgent than ever. In scenarios where critical systems are encrypted or compromised, rapid and reliable recovery can make the difference between a major disruption and a catastrophic failure.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
