Marks & Spencer apologises after cyber incident causes delays
22 April 2025, 16:14
Customers have been told they could face delays to their Click and Collect orders as a result.
Marks & Spencer has apologised after its stores were impacted by a “cyber incident” in recent days.
Customers have been told they could face delays to their Click and Collect orders as a result of the attack.
The high street chain said it had to make “minor, temporary changes” to its store operations to protect customers and the business.
It comes after reports on social media that they were unable to pay using contactless methods or collect online orders over the weekend.
It is understood that contactless payments are working again in stores but that Click and Collect orders and returns are still facing disruption.
In an email to customers, M&S chief executive Stuart Machin said: “I’m writing to let you know that over the last few days M&S has been managing a cyber incident.
“To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.
“Importantly, our stores remain open, and our website and App are operating as normal.
“There is no need for you take any action at this time and if the situation changes, we will let you know.
“There may be some limited delays to your Click & Collect order, which we are working hard to resolve.”
M&S said it is currently working with cyber security experts to investigate and manage the incident.
The company is taking actions to protect its network and has also reported the incident to data protection supervisory authorities and the National Cyber Security Centre.
Jake Moore, global cybersecurity adviser at internet security firm Eset, said: “This highlights the significant impact cyber attacks can have in the public domain.
“Many ransomware attacks are dealt with behind the scenes which can make people think the problems are eroding but when customers are directly affected, the knock-on effects are far more widely noted.
“Luckily, it seems no customer data has been taken in the attack but this situation widens the reality that card-only payments may not yet be the answer in a time when cyber attacks are just as prevalent as they’ve ever been.”
