Marks & Spencer CEO Targeted Directly in £300m Ransomware Attack
Hackers behind the devastating cyberattack on Marks & Spencer sent a direct and abusive ransom demand to the company’s chief executive, it has emerged.
The email, sent on April 23, was addressed to CEO Stuart Machin and seven senior executives. Written in broken English and allegedly from the hacking group DragonForce, the message gloated about the attack and demanded that the company enter ransom negotiations via a dark web portal.
It is the first clear confirmation that DragonForce is responsible for the cyberattack, which M&S has not publicly acknowledged. The group claims to have installed ransomware across M&S’s systems, stolen customer data, and crippled operations – an incident that has reportedly cost the retailer around £300 million. Six weeks on, M&S is still unable to process online orders.
The extortion email – shown to the BBC by a cybersecurity expert – was apparently sent from the account of a Tata Consultancy Services (TCS) employee based in London who works with M&S. TCS says its own systems were not the source of the email and maintains that it was not involved in the breach. The employee’s credentials appear to have been compromised in the attack.
The hackers included a link to a dark web site used by DragonForce victims to negotiate ransoms. They also referenced details from M&S’s cyber insurance policy, suggesting they had in-depth access to sensitive internal documents.
“We know we can both help each other handsomely,” the message read, alongside threats and a cartoonish image of a fire-breathing dragon.
The same group is believed to be behind a simultaneous cyberattack on Co-op, which caused weeks of disruption to food deliveries and store operations. Neither Co-op nor M&S has appeared on DragonForce’s usual leak site, but the hackers told the BBC they are experiencing technical issues and expect to publish stolen data soon.
Security researchers remain divided on the true identity and origin of DragonForce, with some linking the group to Malaysia or Russia. However, growing speculation points to a loose collective of Western hackers known as Scattered Spider, suspected of being behind recent high-profile attacks on Harrods and other UK retailers.
Scattered Spider is believed to be composed largely of teenagers operating through Telegram, Discord, and online forums. The UK’s National Crime Agency has confirmed it is focusing its investigation on this group, amid mounting concern over its role in the surge of cyberattacks targeting British retail chains.
In an exchange with the BBC, hackers claiming responsibility for the Co-op breach identified themselves only by aliases from the crime drama The Blacklist, declaring, “We’re putting UK retailers on the blacklist.”
Despite the severity of the incident, Marks & Spencer has so far declined to comment on the ransom demand or confirm whether it has engaged with the hackers.
