Breach Teardown

Retail
2025

What Caused the Marks & Spencer Breach?

Over Easter weekend 2025, ransomware crippled Marks & Spencer. The intrusion did not start inside M&S at all: attackers phoned the retailer’s outsourced IT help desk, impersonated an employee convincingly enough to get a reset on an account, and worked from there to ransomware that kept online ordering down for six weeks and wiped an estimated £300 million from operating profit.

Scale
~£300M estimated profit impact; online orders down six weeks
Attack vector
Impersonation call to an outsourced IT help desk
IAM domains implicated
Auth/SSO, Governance, Security
Domino controls hit
1 of 4

The Incident

What Happened

In April 2025, Marks & Spencer disclosed a cyberattack that halted online orders, disrupted contactless payment and stock systems, and took weeks to contain. Testifying before a UK parliamentary committee that July, chairman Archie Norman attributed the ransomware to the DragonForce group working with loosely aligned actors, in a campaign widely linked to the social engineering crew known as Scattered Spider. The same wave hit Co-op and Harrods.

The entry point was human. As reported across the investigation coverage, the attackers called the IT help desk run by a third-party services contractor, impersonated an M&S employee in fluent English with a credible cover story, and obtained a credential reset. That reset became network access, escalation, and eventually ransomware deployment.

Customer data including contact details, dates of birth, and online order histories was taken, though M&S said usable payment data was not. Online ordering stayed offline for roughly six weeks. Industry bodies put the combined cost of the M&S and Co-op event between £270 million and £440 million, and the National Crime Agency arrested four suspects in July 2025.

Attack Chain

How the Attack Compounded

Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.

  1. Attackers research M&S staff, then call the outsourced IT help desk impersonating an employee.

    AUTH-05

  2. The contractor’s help desk agent resets the account’s credentials without high-assurance verification of the caller.

    AUTH-05

  3. The identity process failed at a supplier, but the access it granted was to M&S systems. Nobody had scored the outsourced desk against the same bar as the internal one.

    GOV-04

  4. Attackers move through the network and stage ransomware without being evicted.

    SEC-01

  5. Encryption lands over a holiday weekend; recovery of core retail systems takes over a month.

    SEC-02

Control Mapping

The IAM Controls That Failed

Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.

AXIS controls that failed in the Marks & Spencer breach, with domain, capability, and how each failed
ControlDomainCapabilityHow it failed here
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceA phone call to a help desk defeated the authentication stack. Recovery and reset processes are part of the perimeter, and here the process belonged to a contractor whose verification bar the attackers had already measured.
GOV-04GovernanceIAM Operating Model and SkillsIdentity operations were outsourced without the operating model treating the supplier’s reset process as a control surface. If a third party can reset your credentials, their procedures are your procedures.
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)The window between the fraudulent reset and ransomware deployment was the detection opportunity. Reset events on privileged or unusual accounts, followed by novel access patterns, went unactioned.
SEC-02SecurityIdentity Resilience & Disaster RecoverySix weeks without online ordering is a resilience finding, not just an availability one. Restoring identity and core commerce systems at retail scale had no rehearsed fast path.

The Maturity Lesson

What Would Have Changed the Outcome

The Domino Effect

MGM Resorts fell to a nearly identical phone call eighteen months earlier, and the M&S incident shows the pattern surviving contact with a different industry and a different continent. In AXIS terms the score that mattered was AUTH-05, account recovery resistance, evaluated at every desk that can reset a credential, including ones on a supplier’s payroll. An assessment that stops at the corporate boundary would have missed the control that failed.

The Maturity Level That Mattered

At level 2 or 3 on AUTH-05, resets require verification a caller cannot supply from research: callback to a registered device, live ID checks, or manager attestation, with stricter rules for privileged accounts. Those requirements have to be written into the outsourcing contract and audited, which is GOV-04 territory.

For consulting engagements, this teardown argues for one blunt question early in scoping: who, anywhere in the world, can reset your credentials, and what do they require before they do it?

Related Compliance Frameworks

The controls implicated in this breach carry citations in these frameworks within the AXIS bank:

Sources

About This Analysis

This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Marks & Spencer. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Marks & Spencer.

Would Your Program Have Caught This?

The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.