Marks & Spencer (M&S) has restored its click and collect service for clothing, home, and beauty products as of August 11, 2025, ending a nearly four-month suspension following a major cyberattack that disrupted the iconic British retailer’s operations and dented its profits.
Driving the news:
- M&S halted all online orders for home delivery and in-store collection on April 25, 2025, three days after disclosing it was managing a significant “cyber incident.”
- Online orders for home delivery gradually resumed from June 10, 2025.
- The company’s website confirmed on August 11, 2025, that click and collect is once again available for fashion, home, and beauty online orders.
- Customers can now return their online orders to any M&S store, restoring a key service for shoppers.
Why it matters:
- The cyberattack, which M&S has acknowledged was a ransomware incident, caused severe disruption to both its online and in-store operations.
- The attack led to bare shelves in some stores and a suspension of contactless payments and click and collect systems.
- M&S forecast in May 2025 that the incident would reduce operating profit for the current financial year by approximately £300 million ($404 million), though the company hopes to halve the impact through insurance and cost control.
- The disruption benefited rivals such as Next in clothing and Sainsbury’s in food, as M&S customers sought alternatives during the outage.
State of play:
- The attack is believed to have been carried out by the DragonForce ransomware-as-a-service operation, likely affiliated with the cybercriminal collective Scattered Spider, according to the National Crime Agency (NCA) and M&S Chairman Archie Norman.
- Between January and March 2025, DragonForce reportedly posted 58 victims on its leak site, including other major UK retailers like Co-op and Harrods.
- In July 2025, UK police arrested four individuals as part of a sweeping investigation into the cyberattacks on M&S, Co-op, and Harrods. All four were later bailed pending further inquiries.
- The NCA has described the investigation as one of its highest priorities, with specialist cybercrime investigators working at pace alongside UK and overseas partners.
By the numbers:
- M&S’s shares rose by 1-2% in early trading on August 11, 2025, paring year-to-date losses to 10-11%.
- The company estimates the cyberattack will reduce profits by around £300 million ($404 million) for the 2025/26 financial year.
- M&S is seeking to offset some of the loss through insurance and tighter cost controls.
Zoom in:
- The cyberattack not only disrupted online sales but also forced M&S to take other systems offline, reducing the availability of clothing and food in stores.
- M&S’s management team described the period immediately following the attack as “traumatic.” Chairman Archie Norman told a business and trade select committee in July 2025, “For a week probably, the cyber team had no sleep, or three hours a night. We’re still in the rebuild mode and will be for some time to come.”
- CEO Stuart Machin told investors in early July 2025 that the retailer would be “over the worst of the aftermath of the incident by August.”
- John Lyttle, M&S’s managing director for fashion, home, and beauty, confirmed via an Instagram post on August 11, 2025, that the retailer’s full online delivery offers were restored, including returns to any M&S store.
What they’re saying:
- Archie Norman, M&S chairman, described the incident as “traumatic” and highlighted the intense pressure on the cyber team during the crisis.
- Kate Calvert, Investec analyst, said the reinstatement of click and collect “is the key ‘back to normal’ signal from a consumer perspective,” and does not expect the hack to impact M&S’s long-term valuation or growth prospects.
- Paul Foster, head of the NCA’s National Cyber Crime Unit, stated, “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities. Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”
How it works:
- The hack is believed to have been executed via social engineering, with attackers impersonating workers and IT help desks to gain access.
- Following the attack, the National Cyber Security Centre (NCSC) issued new guidance in May 2025, advising organizations to review password reset policies, strengthen IT help desk authentication, and enforce multi-factor authentication (MFA), especially for senior employees with escalated system privileges.
Between the lines:
- Some customer data was stolen during the attack. M&S has advised customers to remain vigilant about suspicious emails, calls, or texts claiming to be from the company.
- The company has not disclosed the full extent of the data theft or the identity of the attackers, but acknowledged the ransomware nature of the incident and the suspected involvement of DragonForce and Scattered Spider.
- The hack’s aftermath prompted broader scrutiny of cybersecurity practices across the UK retail sector, with the NCSC’s guidance aiming to prevent similar incidents in the future.
What to watch:
- The ongoing NCA investigation and any subsequent charges or convictions related to the four individuals arrested in July 2025.
- The long-term impact of the cyberattack on M&S’s competitive position, customer trust, and financial performance.
- The effectiveness of new cybersecurity measures adopted by M&S and other major retailers in response to the incident.
- Potential further revelations about the tactics and affiliations of DragonForce and Scattered Spider in attacks on UK businesses.
The bottom line:
M&S’s resumption of click and collect services marks a significant milestone in its recovery from one of the most disruptive cyberattacks in UK retail history, but the company and the industry at large remain alert to evolving digital threats and the need for robust security measures.
