British retailer Marks & Spencer (M&S) has identified the group behind its April cyberattack as “DragonForce,” according to its chairman, Archie Norman. The attack forced M&S to suspend its online clothing orders for 46 days, impacting logistics and leading to significant operational costs. The company estimates the breach will result in a loss of £300 million in operating profit.
Norman told the UK parliament’s Business and Trade Committee that the attack involved “loosely aligned parties,” and although the instigator was never directly named, DragonForce and the Scattered Spider collective are believed to be involved. M&S did not receive any direct communication from the attackers until a week after systems were compromised.
Fallout spreads across supply and logistics
The breach not only took down M&S’s online clothing platform but also impacted its broader logistics and food distribution systems. As a result, the company faced reduced food availability and higher waste, alongside increased operating costs due to offline systems and manual processing.
Also read: Britain Urges Firms to Prioritize Cybersecurity After Attacks
Click-and-collect services are still suspended, though clothing orders resumed on June 10. The attack has placed pressure on the company’s digital strategy and exposed vulnerabilities in its online infrastructure, at a time when retailers are increasingly reliant on e-commerce channels.
DragonForce and Scattered Spider under scrutiny
Cybersecurity experts believe DragonForce operates from Asia and is linked to Scattered Spider, a group known for deploying ransomware via loosely connected threat actors. While attribution in cybercrime remains complex, the pattern of delayed communication, system disruption, and operational losses aligns with previous DragonForce-linked incidents.
M&S CEO Stuart Machin told investors the group expects to recover from the attack’s worst effects by August. However, the incident has raised broader concerns about preparedness and cyber resilience in the retail sector, especially amid rising threats from ransomware groups operating across borders.
