Marks & Spencer Confirms a Cyberattack Hits Payments & Online Orders

British retail giant Marks & Spencer (M&S) has confirmed it is dealing with a significant cyber incident that has disrupted contactless payment systems and its Click and Collect service, leaving customers frustrated during the Easter holiday period. 

The attack, which has been ongoing for several days, has forced the company to implement emergency security protocols to contain potential damage.

The cyber incident, disclosed via the London Stock Exchange’s Regulatory News Service (RNS) on April 22, has forced M&S to execute incident response procedures across its 1,049 UK stores. 

Cyber Attack Disrupts M&S Digital Services

Security analysts suspect the attack might involve ransomware, given the pattern of service disruptions and the company’s cautious approach to system isolation.

The retailer has implemented network segmentation to contain the threat vector, temporarily disabling certain customer-facing digital services while maintaining core operations. 

Chief Executive Stuart Machin notified customers via email that these measures were implemented “to safeguard you and our business,” while emphasizing that physical stores remain operational.

The technical difficulties have significantly impacted customer experience across multiple touchpoints:

• Contactless payment processing systems were taken offline during the Easter weekend.
• Click and Collect order fulfillment experienced delays, with customers advised to await confirmation emails before visiting stores.
• Digital vouchers and gift cards became temporarily inaccessible.
• Returns processing was suspended at some locations.

“I had to leave my shopping behind,” reported one customer on the social media platform X, citing poor communication about payment system failures until reaching checkout. 

Other customers reported being held outside stores for extended periods before managers arrived to explain the situation.

M&S has activated its cyber incident response plan, engaging external cybersecurity experts to investigate and mitigate the attack. 

The company has also fulfilled regulatory obligations by reporting the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).

“The Company has engaged external cyber security experts to assist with investigating and managing the incident. We are taking actions to further protect our network and ensure we can continue to maintain customer service,” M&S stated in its official release.

While the precise nature of the attack remains undisclosed, no threat actors have publicly claimed responsibility. 

Security professionals note that this silence is typical during initial incident response phases, particularly when attackers are attempting to leverage stolen data for extortion.

M&S has indicated that it doesn’t believe customer data has been compromised, telling shoppers that no immediate action, such as password changes, is required. 

However, the notification to data protection authorities suggests the company is following precautionary measures required under current regulations.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy