In early 2025, Marks & Spencer was hit by a coordinated cyberattack that had far reaching ramifications. This wasn’t just one type of hacking — it was a mix of clever tricks and technical sabotage, pulled off by a well-known cybercrime group called Scattered Spider. Here’s how they did it:
1 The Trick: Pretending to Be Someone Else
The attackers didn’t sneak in through some high-tech back door — they simply tricked the people on the inside. This is known as social engineering, and it relies on human error, not computer flaws. In this case, the hackers posed as real M&S employees, contacting the company’s IT helpdesk by phone and online chat.
But they didn’t just sound convincing — they genuinely were. Using a method called SIM card swapping, they hijacked staff members’ mobile phone numbers. That gave them control of any calls or text messages sent to those numbers — including two-factor authentication codes, which are normally a strong line of defence. With those codes in hand, the attackers were able to reset passwords, gain entry to internal systems, and move deeper into the company’s digital infrastructure — all while looking like legitimate employees on paper.
But make no mistake, SIM card swapping is not some deeply technical activity that is reserved for coordinated attacks on high-value targets — it applies equally to opportunistic hackers who may well target the likes of you and I, to gain access to our ‘secure’ accounts.
It is in fact as simple as convincing a telephone provider that the owner has changed phones, and that the SIM (usually eSIM) should be transferred to the new device.
SIM-swap fraud rose by 1,000% in 2023-24, as criminals sought to exploit the two-factor authentication that was being pushed by so many security advisories.
The National Fraud Database said it had seen a 1,055% increase in the number of reports of SIM-swap fraud, rising to almost 3,000 cases in 2024 from just 289 in 2023.
2 The Breach: Getting Past the Locks
Once the hackers had control of employee phone numbers, they used that access to reset passwords through valid technical support calls and consequently log in to the corporate systems — just like a staff member would. Because they had those all-important two-factor authentication (2FA) codes, all the control systems thought they were legitimate.
Once inside with valid credentials, it becomes much easier for a hacker to find ways to exploit other vulnerabilities that may grant them even further access. They quickly escalated access, moving deeper into the company’s internal network. Hackers often take small steps, increasing their foothold little by little, until they have substantial control of the system.
3 The Sabotage: Shutting Things Down
Once inside, and with increased control, the attackers launched a ransomware attack using a malicious program called DragonForce. Ransomware locks up data and systems by encrypting it with a code that only the attacker knows, until a ransom is paid. It’s like a digital hostage situation – Imagine someone changing the passwords of the support team, and not telling them what they are, then locking everything with those passwords.
They also stole a key file that contains encrypted passwords for staff across the business. This gave them potential long-term access even if M&S changed some login details.
4 The Fallout: Services Disrupted and Data Taken
- Customers couldn’t place orders — the website and app were down.
- In-store tech failed — including payment systems and stock management.
- Customer data was stolen, including names, addresses, and order history. Fortunately, payment details were not taken.
- The company is now facing an estimated £300 million loss and a long road to recovery.
Why You Should Care
Business owners and leaders often fall into the same false sense of security: There have been no signs of an attack, so they assume everything is well. But how wrong they are, because these days, attacks often happen a long time before there is any visual evidence of it.
This particular attack may seem to be solidly in the domain of big business, but really it is not. Exactly the same principles can be applied to individuals and their user accounts. In fact, arguably it is easier to apply to individuals, because we are generally far freer and easier with our information.
How difficult do you think it would be for someone to find out your name, phone number, date of birth, pet’s name, etc? Really it is not rocket-science, we are all susceptible to this kind of attack, not least because we are not the only people who know our own details – they are often known by a wide network of friends, family and associates – and other online services of course.
What You Can Do
All is not lost, but we need to start thinking differently about our security. MFA (Multi-Factor Authentication) has long been touted as one of the most secure ways to protect your accounts — and that remains true. But MFA is not just receiving a code on your mobile phone.
Not All MFA Is Equal
Many people believe that SMS-based MFA is ironclad, but as this attack shows, it can be undermined by something as simple as a SIM swap. The weakest forms of MFA are those tied to your mobile number.
Enter: Passkeys
One of the most secure and user-friendly options now available is the passkey. A passkey securely stores a long ‘password’ inside a protected chip on your device. When you log in, you authenticate with your device (such as a fingerprint or face scan), and the device completes the login using the hidden credentials. It’s incredibly hard to intercept — and not at all vulnerable to SIM-swapping.
Who Supports Passkeys?
Big tech is already on board. Services like:
- Microsoft
- Facebook (Meta)
- Apple/iCloud
- GitHub
- WhatsApp
…all support passkeys for login, and many more are following suit every day.
If you are technically minded and want a fuller description of how Passkeys work, I have written another article here.