British retail giant Marks & Spencer (M&S) has been hit by a severe ransomware attack, crippling its online ordering system, disrupting click-and-collect services, and leaving shelves empty in some stores. The incident has slashed M&S’s daily online sales of £3.8 million and raised widespread concerns about personal data security. As the UK prepares to introduce the Cyber Security and Resilience Bill in 2025 and promote digital identity verification (such as passport-based authentication), experts warn that such attacks could amplify data breach risks, particularly with new regulations mandating the collection of sensitive data for verification.
Ransomware Attack: Supply Chain Vulnerabilities Exposed
The attack, launched on 21 April 2025 during the Easter holidays, was orchestrated by the cybercrime group Scattered Spider using the DragonForce ransomware to lock M&S’s critical IT systems, including VMware ESXi virtual machines. Hackers are believed to have infiltrated the systems as early as February via vulnerabilities in Microsoft Active Directory or weaknesses in third-party IT service providers, striking during the holiday period. The assault halted M&S’s website and app order processing, disrupted contactless payments, affected Ocado food supplies, and impacted stores in Hong Kong. M&S’s share price plummeted, wiping over £600 million from its market value.
M&S has enlisted cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to respond and has reported the incident to the National Cyber Security Centre (NCSC), National Crime Agency (NCA), and Information Commissioner’s Office (ICO). The Metropolitan Police’s cybercrime unit is investigating, with hackers potentially facing up to seven years in prison under the Computer Misuse Act 1990. While M&S has not confirmed a customer data breach, ransomware attacks often involve data theft, and Scattered Spider’s expertise in social engineering tactics—such as MFA bombing and phishing—raises fears of identity theft.
Digital Identity Verification: A Double-Edged Sword
The UK government is championing digital identity verification as a cornerstone of the digital economy, aiming to secure online services through methods like passport, driving licence, or biometric authentication. According to the 2020 Digital Identity: Government Consultation Response, the UK’s Digital Identity and Attributes Trust Framework mandates that identity providers use encryption and decentralised storage, aligning with the Data Protection Act 2018 and UK-GDPR to regulate data handling. However, the M&S attack has cast a shadow over the security of digital identity systems.
Digital identity verification involves collecting sensitive data, such as passport numbers or facial recognition data, which could become a prime target if stored in systems like those of M&S or its third-party providers. The Scattered Spider attack revealed how hackers can exploit supply chain weaknesses, such as insecure IT service providers. If digital identity data were compromised, the fallout could surpass the theft of standard account credentials, enabling identity fraud, scams, or even cross-border crimes. Moreover, hackers could exploit post-attack chaos by sending fake authentication requests, tricking customers into submitting passport details.
Despite high-security measures in digital identity systems—such as multi-factor authentication (MFA) and blockchain technology—user vulnerability to phishing and potential lingering vulnerabilities in M&S’s systems could undermine protections. Experts caution that if M&S adopts passport-based authentication to comply with new regulations, it must first address supply chain security to avoid repeating past mistakes.
UK Cybersecurity Laws: Tackling New Challenges
The M&S incident coincides with a major overhaul of UK cybersecurity regulations. The Cyber Security and Resilience Bill, set for parliamentary review in 2025, will expand the scope of the Network and Information Systems Regulations 2018 to cover data centres, managed service providers, and supply chains, mandating swift incident reporting. Aimed at countering supply chain attacks, the bill imposes fines of up to £17 million or 4% of global annual revenue for non-compliance. M&S’s IT service providers, as digital service providers, must meet these new standards to prevent similar incidents.
Concurrently, the Data Protection Act 2018 and UK-GDPR require M&S to investigate potential customer data breaches and report any confirmed leaks to the ICO within 72 hours, or face fines of up to £17.5 million. The Telecommunications (Security) Act 2021 and Privacy and Electronic Communications Regulations (PECR) further oblige M&S’s telecom and IT suppliers to secure systems, ensuring digital identity verification processes remain uncompromised.
The new regulations promote digital identity verification to enhance transaction security, but centralised data storage and supply chain vulnerabilities could heighten risks. M&S must upgrade its systems to support authentication and audit third-party providers’ security to comply with the Cyber Security and Resilience Bill.
Industry and Consumers: Balancing Security and Convenience
The M&S attack is a wake-up call for the retail sector, underscoring the urgency of cybersecurity and regulatory compliance. The NCSC advises M&S to adopt the Cyber Essentials certification, train staff to counter social engineering, and use decentralised identity technologies to reduce data centralisation risks. For consumers, the NCSC recommends changing passwords shared with M&S accounts, enabling MFA, and staying vigilant against fake authentication requests, submitting passport data only via official channels.
As the Cyber Security and Resilience Bill and digital identity framework advance, the UK seeks to balance security and convenience in the digital economy. The M&S incident highlights that businesses must invest in supply chain defences, regulators must fast-track identity provider standards, and consumers must bolster cybersecurity awareness. M&S anticipates system recovery by early May, with customers advised to monitor its official website for updates on orders and services.
