Cyberattack
Marks & Spencer suffers a cyberattack disrupting Click & Collect and contactless...
British retail giant Marks \& Spencer (M\&S) has confirmed it is managing a cyberattack that has disrupted several key customer services, including its Click and Collect system and contactless payment capabilities. The incident, disclosed on April 22, 2025, has forced the company to implement temporary operational changes while it works with external cybersecurity experts to investigate and resolve the situation.
## Cyber Incident and Its Immediate Impact
M\&S revealed that it has been managing a cyber incident for several days, prompting the company to make what it described as "minor, temporary changes" to its store operations[^1][^2]. The cyber incident has primarily affected the retailer's Click and Collect system, causing delays for customers awaiting online orders[^1]. Customers have been advised to wait for confirmation emails before visiting stores for pickups[^9].
Beyond Click and Collect disruptions, the attack has also impacted:
- Contactless payment systems in multiple stores[^2][^3][^10]
- Gift card and voucher functionality, with some customers reporting inability to use these payment methods[^2][^10]
- In-store refund processing capabilities[^2]
Despite these disruptions, M\&S has emphasized that all physical stores remain open and that its website and mobile app continue to operate normally[^1][^5][^6]. The company has not disclosed specific details regarding the nature of the cyberattack or whether customer data has been compromised[^1][^3].
### Timeline of Events
The cyber incident appears to have begun during the Easter Bank Holiday weekend, with customer complaints appearing on social media platforms as early as Saturday, April 19, 2025[^3][^11]. The timing is particularly significant as Easter represents the second busiest trading period for retailers after Christmas[^10], potentially maximizing the impact on both M\&S operations and customer experience.
M\&S officially confirmed the incident on Tuesday, April 22, 2025, through a statement to the London Stock Exchange and direct communications to customers[^5][^7]. As of April 23, 2025, the company was still working to resolve the issues[^1][^6].
## M\&S Response and Crisis Management
Upon discovering the cyber incident, M\&S implemented a multi-faceted response strategy focusing on containment, investigation, and customer communication.
### Technical and Operational Response
M\&S has engaged external cybersecurity experts to assist with investigating and managing the incident[^1][^6][^9]. The company stated it is "taking actions to further protect our network and ensure we can continue to maintain customer service"[^7][^9]. These actions include reinforcing network security while working to restore affected services[^1].
As required by regulations, M\&S has reported the incident to:
- The National Cyber Security Centre (NCSC)[^2][^5][^7]
- Relevant data protection supervisory authorities, including the Information Commissioner's Office (ICO)[^2][^5][^7]
### Customer Communication
M\&S Chief Executive Stuart Machin issued a statement apologizing for the inconvenience caused to customers[^2][^10]. The company has emphasized that "customer trust is incredibly important" and promised to provide updates if the situation changes[^5][^7].
William Dixon, a Senior Associate Fellow for Cyber and International Security at the Royal United Services Institute (RUSI), praised M\&S's customer communications about the incident as "textbook," highlighting the empathy, transparency, and reassurance provided in their messaging[^2].
## Potential Nature and Motivations Behind the Attack
While M\&S has not confirmed the specific type of cyberattack, cybersecurity experts have offered several insights based on the pattern of disruption.
### Ransomware Speculation
The disruption to payments and online services suggests a possible ransomware attack[^3][^9]. If ransomware is indeed behind this attack, data may have been stolen to be used as leverage to convince the company to pay a ransom[^9]. As of April 23, 2025, no ransomware group or threat actor had claimed responsibility for the attack[^1][^9].
Cybersecurity analysts suggest that if ransomware is involved, attackers may attempt to pressure M\&S privately before making any public statements or demands[^1]. This aligns with typical ransomware tactics where stolen data is often used as leverage to extract payments from victims[^1].
### Strategic Timing
The timing of the attack during the Easter Bank Holiday weekend appears strategic. Ian McShane, a security expert at cybersecurity firm Arctic Wolf, noted that the challenges faced by M\&S demonstrate that "cyber attackers never take a day off"[^10]. He explained that "criminals are always seeking to create the most disruption with the least effort," and targeting a major retailer during a busy holiday shopping period maximizes impact[^10][^11].
## Broader Context and Industry Implications
The M\&S cyber incident is not occurring in isolation but rather as part of a concerning trend affecting major organizations in the UK and globally.
### Retail Sector Vulnerability
The retail sector remains a prime target for cybercriminals for several reasons:
- High public brand awareness that criminals can leverage for notoriety[^11]
- Seasonal nature of the business, allowing attackers to time their strikes during critical sales periods to maximize pressure[^11]
- Increasing adoption of omnichannel approaches and new technologies that expand the attack surface[^11][^3]
According to reports, the consumer cyclicals and non-cyclicals sectors, which encompass retailers, were among the top five most targeted verticals by ransomware gangs in early 2024[^11].
### Recent Precedents
This incident adds to a growing list of similar cyberattacks affecting major UK organizations:
- Transport for London was forced to shut down numerous online services following a cyberattack in September 2024[^3]
- WH Smith was targeted in 2023, resulting in illegal access to company data, including personal details of current and former staff[^3]
- Morrisons encountered significant issues with Christmas orders in late 2024[^10]
A 2022 government report revealed that 39% of UK businesses reported cybersecurity breaches or attacks in a 12-month period, highlighting the widespread nature of the threat[^3][^8].
## Expert Analysis and Recommendations
Cybersecurity experts have provided several insights regarding the M\&S incident and its implications for organizational security practices.
James Hadley, Founder and CIO at cybersecurity training firm Immersive, noted: "While M\&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities"[^2].
Jamie Moles, Senior Technical Manager at ExtraHop, emphasized the importance of early detection: "Incidents like this demonstrate how essential it is to have real-time visibility, threat detection and rapid response capabilities across all digital infrastructure. Network visibility can play a pivotal role, helping organizations detect anomalies early, isolate potential threats and maintain service continuity"[^2].
Daniel Card from Chartered for ITBCS remarked that the M\&S incident serves as a "reminder the gap often exists between our perception of cyber resilience and the reality"[^10]. He noted that even well-equipped organizations are not immune to attacks.
## Business Impact and Future Outlook
The cyberattack comes at a critical time for M\&S, with its financial year having ended on March 29, 2025, and full-year results scheduled to be announced on May 21, 2025[^6][^15]. Stakeholders will be watching closely to see if the incident has any material impact on performance or customer confidence[^6].
The company's proactive engagement with authorities and cybersecurity experts signals a robust approach to crisis management, aiming to restore full confidence among its customers and investors[^6]. This incident will likely serve as an important test of M\&S's cyber resilience and crisis management capabilities.
