The Marks & Spencer breach explained: how attackers used a third-party IT help desk to take down a £300M retailer
A detailed walkthrough of the April 2025 Marks & Spencer cyberattack — how social engineering against TCS help desk staff bypassed M&S's defences, and what tamper-evident session logging would have changed.
On 22 April 2025, Marks & Spencer's online order systems went dark. By the time forensic teams traced the entry point, attackers had already been inside for several days. The route in was not a zero-day. It was a phone call to a help desk run by a third-party IT contractor — and a successful impersonation of a legitimate M&S employee asking for a password reset.
This article walks through the publicly known timeline, the failure mode, and the kind of forensic record that would have changed the investigation. It draws on Reuters reporting, M&S statements, and testimony from the UK Parliament's Business and Trade Committee.
§ What we know about the timeline
Marks & Spencer disclosed a cyber incident on 22 April 2025. Reuters and the Financial Times subsequently reported that attackers had social-engineered help desk staff at Tata Consultancy Services, M&S's outsourced IT service desk provider, into performing password resets for accounts that were not theirs. The threat actor has been publicly linked to the Scattered Spider cluster, which has used identical tradecraft against other large retailers.
§ The structural failure
Outsourced help desk agents typically have privileged access to client identity systems but operate from machines and call-recording infrastructure run by the contractor. When a password reset is performed, the customer organisation has no independent record of who authorised it, what voice was on the call, or whether the agent followed identity-verification policy.
§ What a tamper-evident session record would have changed
If every help desk session — including the call audio, the agent's screen, and the identity-verification steps — were captured into a hash-chained log readable by both the contractor and M&S, two things change. First, post-incident detection drops from days to hours, because each unauthorised reset can be replayed and audited. Second, the incentive structure on the agent side changes: a session that is permanently recorded and externally verifiable is materially harder to compromise through bribery or coercion.
The same primitive applies to every IT service-desk relationship, every outsourced support function, and every internal help desk that performs sensitive operations under time pressure.
NEXT STEP
Want a forensic recorder
on your machine?
Black Box ships free for individuals. 2.9 MB installer, digitally signed, no card required.
KEEP READING
Related on Alcyone Secure
Insider wrongdoing at Tesla: how two former employees walked out with 100 gigabytes of confidential data
The 2023 Tesla insider breach exposed 75,735 employee records and showed how easily a departing employee can exfiltrate years of internal data without triggering a single alert. What happened, why endpoint security alone cannot catch it, and what session-level forensics would have shown.
9 MIN READ →COMPLIANCEWhy every enterprise device handover should produce evidence: the case for forensic logging in IT service workflows
Enterprises hand devices to internal IT, third-party contractors, and external repair vendors thousands of times a year. Most leave no forensic record. We explain why this is a compliance gap under DPDP, GDPR, and HIPAA — and how a tamper-evident handover log changes both legal posture and incident response.
10 MIN READ →ENGINEERINGForensic logging vs activity monitoring: what is actually admissible in court
Activity monitoring tells you what happened. Forensic logging produces evidence. The difference matters when it stops being a security question and starts being a legal one.
7 MIN READ →