British retail giant Marks & Spencer (M&S) is currently managing a significant cyber incident that has disrupted its contactless payment systems and Click and Collect service, causing inconvenience to customers during the Easter holiday period. The company has implemented emergency security protocols to mitigate potential damage.
The cyber incident was disclosed through the London Stock Exchange’s Regulatory News Service (RNS) on April 22, 2025. M&S has activated its incident response procedures across its 1,049 UK stores to address the situation.
Impact on Digital Services
Security analysts suggest that the attack may involve ransomware, given the pattern of service disruptions and the company’s cautious approach to system isolation. M&S has implemented network segmentation to contain the threat, temporarily disabling certain customer-facing digital services while maintaining core operations.
Chief Executive Stuart Machin informed customers via email that these measures were taken to safeguard you and our business, emphasizing that physical stores remain operational.
The technical difficulties have significantly impacted customer experience across multiple touchpoints:
– Contactless payment processing systems were taken offline during the Easter weekend.
– Click and Collect order fulfillment experienced delays, with customers advised to await confirmation emails before visiting stores.
– Digital vouchers and gift cards became temporarily inaccessible.
– Returns processing was suspended at some locations.
Customers have expressed frustration over the disruptions. One customer reported having to leave their shopping behind due to poor communication about payment system failures until reaching checkout. Others reported being held outside stores for extended periods before managers arrived to explain the situation.
Incident Response and Investigation
M&S has activated its cyber incident response plan, engaging external cybersecurity experts to investigate and mitigate the attack. The company has also fulfilled regulatory obligations by reporting the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
In its official release, M&S stated, The Company has engaged external cyber security experts to assist with investigating and managing the incident. We are taking actions to further protect our network and ensure we can continue to maintain customer service.
While the precise nature of the attack remains undisclosed, no threat actors have publicly claimed responsibility. Security professionals note that this silence is typical during initial incident response phases, particularly when attackers are attempting to leverage stolen data for extortion.
M&S has indicated that it doesn’t believe customer data has been compromised, telling shoppers that no immediate action, such as password changes, is required. However, the notification to data protection authorities suggests the company is following precautionary measures required under current regulations.
Historical Context
This is not the first time M&S has faced cybersecurity challenges. In October 2015, a technical glitch on the company’s website allowed customers to see each other’s personal details, including names, dates of birth, contact information, and previous orders. The retailer suspended its site for two hours to fix the problem and stated that the issue was due to an internal error, not an external hack. Additionally, in April 2011, M&S customers were affected by a data breach at marketing firm Epsilon, which resulted in the theft of email addresses. The company warned customers to expect an increase in spam emails but assured them that no other personal information was accessed.
Industry Implications
The recent cyberattack on M&S underscores the growing threat of cyber incidents in the retail sector. Retailers are increasingly becoming targets for cybercriminals due to the vast amounts of customer data they handle and the critical nature of their digital services. This incident highlights the importance of robust cybersecurity measures and incident response plans to protect both customer information and business operations.
Customer Guidance
While M&S has stated that no immediate action is required from customers, it is advisable for individuals to remain vigilant. Customers should monitor their accounts for any unusual activity and be cautious of potential phishing emails that may attempt to exploit the situation. Maintaining strong, unique passwords for online accounts and enabling two-factor authentication where possible can also enhance personal security.
Conclusion
Marks & Spencer’s proactive response to the cyberattack demonstrates the company’s commitment to safeguarding its customers and business operations. By engaging external cybersecurity experts and reporting the incident to relevant authorities, M&S is taking necessary steps to address the situation. This incident serves as a reminder of the persistent cyber threats facing the retail industry and the need for continuous vigilance and investment in cybersecurity measures.
