Marks & Spencer (M&S) has halted all online orders as it grapples with the fallout from a significant cyber attack that began earlier this week. The high street retailer announced on Friday, April 25, 2025, that it would stop taking orders through its website and apps as part of its "proactive management" of the incident, which has caused considerable disruption to its operations.
The troubles for M&S started last weekend when customers began reporting issues with contactless payments and click-and-collect orders. By Tuesday, April 22, the company confirmed it was dealing with a "cyber incident," leading to a 5% drop in its shares following the announcement. "We are truly sorry for this inconvenience," M&S stated in a post on X, expressing gratitude to customers for their understanding and support during this challenging time.
Despite the online ordering suspension, M&S reassured customers that its physical stores remain open, and shoppers can continue to browse its product range online. However, the firm has faced criticism regarding its communication with customers, especially concerning the use of gift cards and e-gift cards, which are currently unusable for payments.
"Gift cards, e-gift cards, and credit receipts can't currently be used as a payment method in-store or online," M&S informed customers on social media. While the company is holding all parcels in store until further notice, many customers have expressed frustration over the lack of clarity regarding existing orders and returns.
In light of the ongoing issues, M&S has engaged with external cybersecurity experts to assist in managing the situation. The National Cyber Security Centre (NCSC) is also involved, working alongside the National Crime Agency to support the company. M&S reported the incident to relevant data protection authorities, and an assessment is underway.
Nathaniel Jones, vice president of Security & AI Strategy at the cybersecurity firm Darktrace, commented on the cascading impact of such cyber attacks on revenue streams, highlighting how quickly they can cripple retail operations across both digital and physical channels.
As the incident unfolds, customers have shared their experiences online. One shopper expressed frustration after attempting to collect two cakes for a birthday party, only to find there was no information about their order's status. Another customer lamented that orders placed weeks prior were still showing as in transit to the store, with no option to cancel and obtain a refund.
Security experts have warned that scammers might exploit the situation to launch phishing attacks targeting M&S customers. Vonny Gamot, head of European and Middle Eastern operations at McAfee, cautioned shoppers to be vigilant against fraudulent emails or texts that may request sensitive information.
In recent years, M&S is not alone in facing cyber threats. Other major retailers have also suffered significant disruptions due to similar incidents. For instance, Transport for London had to shut down many online services after a cyber attack last September, while Royal Mail faced severe service disruptions in 2023 due to a cyber incident affecting international mail.
As M&S continues to manage the fallout from this cyber attack, it remains committed to restoring its online operations as quickly as possible. The company has assured customers that they do not need to take any action regarding their personal details, indicating that no customer data has been accessed.
Looking ahead, M&S will be providing further updates as the situation evolves, maintaining communication with its customers and stakeholders. The incident serves as a stark reminder of the vulnerabilities faced by businesses in the digital age and the need for robust cybersecurity measures to protect both companies and consumers.
