It is more than three weeks on from M&S’s first public admission of what it coyly described as a “cyber incident” that made it necessary “to make some minor, temporary changes” to store operations.
This is believed to be a group of several hundred English speaking young men, possibly as many as a 1000, based in the UK and America. They are best known for a successful break in to the networks casino operators Caesars Entertainment and MGM Resorts International in September 2023 . Caesars eventually paid a ransom of around $15 million to get card payment systems, hotel room keys, slot machines and ATMs back up and running.
It has been reported that the UK ring leader is a 23 year old from Dundee called Tyler Buchanan while another hacker, Noah Urban, better known as “king Bob ran the operation on the other side of the Atlantic.
Buchanan, who goes under the username Tylerb on the encrypted messaging app Telegram, was pictured handcuffed in Spain last summer after being accused of masterminding Scattered Spider operations. He was extradited to California in April 2025.
M&S have said little publicly beyond their two brief updates to shareholders and occasional statements – ringing increasingly hollow – to say “M&S has robust business continuity plans and processes in place for managing incidents.”
But a picture has emerged of the manic internal activity – described by one unnamed insider as “just pure chaos” – since senior management first became aware of the hack on Easter Saturday.
A crisis team Immediately swung into action with meetings at midnight, 3am and 6am on Easter Sunday to coordinate the response. Since then IT teams have been working round the clock , with some sleeping in the office, in the struggle to contain the contagion and at least keep the stores open and able to accept payments. They are still hard at it.
It is not that Britain’s best known retailer was caught totally unprepared. It is understood that Marks senior management war gamed a cyber attack only last year.
But it is clear from the disruption and reputation damage that has been inflected on Marks – and the attempted hacks on fellow retailers, the Co-op and Harrods, that businesses up and down the country are going to have to bolster their defences and take cyber disaster management far more seriously – at the highest level.
