Marks & Spencer Cyberattack Causes Chaos for Customers
Marks & Spencer customers were left in limbo on Friday after the retailer stopped taking online orders and confirmed that many existing orders would not be fulfilled following a crippling cyberattack. The company took the drastic step of effectively shutting its website and app almost a week after the attack began over the Easter weekend.
According to The Times, cybersecurity experts said the decision suggested that M&S had yet to get a handle on the scale of the assault or how to stop it. Shortly after lunch, M&S posted a message on its social media channels that said: “As part of our proactive management of the incident, we have made the decision to pause taking orders via our UK & Ireland websites and apps and some M&S International operated websites.” The statement added: “The M&S product range is available to browse online, and our stores remain open and ready to welcome and serve customers.”
Shares in the retailer sank 5 per cent after the statement but recovered a little, leaving the value of M&S down 7 per cent since Tuesday. On Wednesday, the company had said that the cyberattack meant contactless payments were not working in stores and that there was disruption to the click-and-collect service. Contactless payments have since been restored, but, as of Friday evening, customers were still unable to use gift cards in stores.
The retailer reassured customers that it does not store customers’ card details and said there was “no need to take any action”. Nonetheless, cybersecurity experts warned customers to be “wary of communications” about their orders because the emails could be fraudulent. Robert Cottrill, the technology director at ANS, the cloud computing specialist, said: “Malicious actors may seek to gain more data through targeted attacks using the information stolen.”
Angry shoppers criticised the chain and bombarded its social media channels with questions. One customer, Claire Powell, asked on X: “Are there any timescales for this to be resolved? Why am I not able to collect items that I know are in the store waiting for me? Surely you would have a business continuity plan for such issues. Not having a service is not a good enough plan.” Another customer, Andrea Clelland, said: “I’ve contacted you via Twitter, Messenger and email to ask what’s happened to orders placed from April 10. I’ve requested they are cancelled but haven’t received any response. It’s fine issuing statements but you need to answer customers’ queries.”
The cyberattack emerged over the Easter weekend, with initial disruptions reported as early as last Saturday. M&S acknowledged the incident on Monday, and on Tuesday, the chief executive apologised to customers, explaining that it had been forced to make “small changes” to store operations “to protect you and our business”. As The Times reports, on Friday M&S confirmed that customers who made orders for delivery or click-and-collect on the website or app before its payments system was shut down will not have their orders fulfilled.
At the time of publication, the retailer was unable to say whether these customers’ cards were debited, and if they were, how quickly they would be refunded. M&S declined to elaborate on the nature of the cyberattack or how long the disruption was likely to last. However, it has reported it to the National Cyber Security Centre (NCSC), the government agency, and the Information Commissioner’s Office. It has also brought in cybersecurity specialists to support its investigation.
The National Crime Agency said it was “working alongside partners in the NCSC to better understand the incident and support the company”. Cybersecurity experts said there had been no claim of responsibility yet on the dark web or criminal forums. Matt Saunders, the chief technology officer at Adaptavist, the technology consultancy, said: “Taking everything down suggests that they don’t yet know the full extent of the intrusion, or how to limit the effects of it.”
He added: “Contemporary cybersecurity incidents are nuanced, targeted and complex. Any obvious attempts to stop them can often trigger data deletion, in part helping the intruders cover their tracks, so they’ll be preserving the scene for law enforcement and a quicker return to full service.” Recent victims of high-profile hacks include two hospitals in Liverpool and a group of London hospitals which were paralysed in separate attacks.
In November, the supermarket supply chain company Blue Yonder was hacked, impacting some grocers, and panic alarms and trackers on Serco prison vans were disabled by a cyberattack on Microlise, a software company. In December, Richard Horne, head of the NCSC, said organisations were becoming complacent to the threat of hacking. He warned of the “clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us”.
The government will soon publish the Cyber Security Resilience Bill, which aims to increase protection standards. It is also proposing to ban public bodies from paying hackers and to require businesses to get approval for ransom payments in order to undermine cybercriminals’ business model. Experts said the M&S incident had all the hallmarks of a ransomware attack, where IT systems are crippled and a ransom is demanded to unlock them and stop sensitive data being published on the dark web.
Nathaniel Jones of Darktrace, the cybersecurity firm, said: “M&S taking systems offline suggests this is likely a ransomware-related event. It demonstrates how quickly cyber incidents can cripple retail operations across both digital and physical channels.”
Turmoil Threatens Chain’s Revival
Analysis by Isabella Fish
Marks & Spencer has spent the past year basking in a well-earned revival. Stylish clothing for both women and men, viral TikTok food hits, and a Kelly Hoppen-designed homeware range have all helped restore its high street reputation and propelled it back into the FTSE 100.
But a week-long cyberattack has put its progress under pressure. The disruption has left customers unable to make contactless payments, collect online orders in store, or rely on timely deliveries. It struck over Easter, a critical moment when shoppers stock up for spring barbecues and refresh their wardrobes.
By Friday, things had got worse: the retailer was forced to take down its website and app, halting online shopping altogether. Shares fell by another 5 per cent. Cybersecurity experts have said that shutting everything down suggests that the company does not yet know the full extent of the intrusion or how to limit its effects.
A company still in the thick of a turnaround can ill afford this kind of disruption. Contactless malfunctions and delayed deliveries are more than a nuisance: they threaten hard-won customer loyalty, particularly among time-poor, digital-first shoppers. At the same time, the attack raises questions about M&S’s digital resilience, just as it is working to modernise its image and operations.
Behind the scenes, operational bottlenecks — from logistics to customer service — will take time to clear. This could cause prolonged disruption to deliveries.
Other British institutions offer cautionary tales. The Post Office struggled to recover from a cyberattack in 2023 that halted international deliveries for weeks, damaging trust and exposing its reliance on third-party systems. Morrisons’ turnaround momentum has slowed after a cyberattack over Christmas.
In contrast, British Airways responded swiftly to a major data breach, limiting longer-term reputational harm, but was still hit with a large fine from regulators.
To its credit, M&S has acted quickly. It alerted both the Information Commissioner’s Office and National Cyber Security Centre and brought in cybersecurity experts to investigate. The company also claims that no customer data is at risk. That should help it to weather the attack, but the margin for error is painfully slim.
Source: The Times – M&S cyber attack: Data https://www.thetimes.com/uk/technology-uk/article/m-and-s-cyber-attack-data-bg0nqvprm
