Marks & Spencer (M&S) has suspended all online orders after suffering a major cyber attack that disrupted its website and apps. The retailer confirmed it was facing a “cyber incident” earlier this week, with customers initially reporting problems last weekend. Now, M&S has paused food deliveries, clothing orders, and app transactions, promising refunds for orders placed on Friday.
Shares in M&S dropped by 5% following the announcement before later recovering. As of Saturday morning, online orders remained suspended.
Apology issued to customers
In a message posted on X, M&S apologised for the inconvenience caused by the ongoing disruption. “Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping,” the retailer said. M&S stores remain open, although issues with contactless payments, Click & Collect services, and gift card usage persist.
Customer frustrations over ongoing issues
Many customers have expressed dissatisfaction with the company’s handling of the situation, particularly regarding communications about gift card usage. Some shoppers reported repeated failed attempts to use gift cards in-store despite being assured the problem was resolved.
M&S responded to customer concerns by explaining that gift cards, e-gift cards, and credit receipts cannot currently be used either in-store or online. However, customers who have already received a collection notification can still pick up their parcels from stores.
Despite the challenges, many praised in-store staff for maintaining good service during the disruption and urged fellow customers not to direct frustrations at employees.
Wider impact of the cyber attack
The full scale of the disruption on M&S operations remains unclear. Experts warn the cyber attack could have a significant financial impact, with online sales representing nearly a quarter of the company’s revenue. Nathaniel Jones from Darktrace highlighted the “cascading impact” such attacks can have on both digital and physical retail operations, while William Wright from Closed Door Security noted it could materially hurt M&S financially.
Meanwhile, Ocado, which sells M&S food online via a separate system, remains unaffected.
Ongoing investigation and expert concerns
M&S has reported the cyber attack to the National Cyber Security Centre (NCSC) and the National Crime Agency, with the Information Commissioner’s Office (ICO) confirming that it is assessing the situation. In an update to investors, M&S described the decision to pause online orders as part of its “proactive management” of the incident.
The retailer joins other major UK brands that have suffered significant IT and cyber disruptions recently, including Morrisons, Barclays, and Lloyds Bank.
