As first reported by BleepingComputer, the attack on M&S was conducted by threat actors linked to Scattered Spider, who deployed the DragonForce ransomware on the network. Tata provides help desk support for M&S and is believed to have been tricked by the threat actors into resetting an employee's password, which was then used to breach the M&S network. Ransomware gangs rarely do anything for free, and if data was stolen and not leaked by now, then either a payment has been made or the threat actors are still negotiating with M&S. M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack. For the first time, M&S referenced the DragonForce ransomware operation as the potential attacker, which he stated was believed to be operating from Asia. While BleepingComputer was told that data was stolen in the attack, DragonForce has not made an entry on their data leak site for M&S. Norman is likely referring to ransomware negotiation firms that help companies negotiate with threat actors and obtain access to Bitcoin to facilitate payments. While Norman did not go into details, he stated that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password. M&S chairman Archie Norman revealed this in a hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security regarding the recent attacks on the retail sector in the country. When asked about the ransom demands during the hearings, Norman said they took a hands-off approach when dealing with the threat actors. Since the attack, many media outlets have incorrectly linked a hacktivist group known as "DragonForce Malaysia" with the DragonForce ransomware gang.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 08 Jul 2025 20:40:12 +0000