Cyberattack cripples contactless payments and click-and-collect at Marks & Spencer

This is not just any cyberattack

Disruption to retail stalwart’s payments and online services suggests a possible ransomware attack

Marks & Spencer (M&S), the iconic British retailer, is recovering from a cyber incident that disrupted major customer-facing systems over the Easter Bank Holiday weekend, leaving thousands of shoppers unable to make contactless payments or use online click-and-collect services.

The company confirmed the incident in a statement released on 22^nd April, noting that the attack had "necessitated some minor, temporary changes" to in-store operations to safeguard customers and business integrity.

Although the specific nature of the breach has yet to be disclosed, the disruption to payments and online services suggests a possible ransomware attack.

"As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced," the company said.

Despite the service interruptions, the company said that its physical stores remain open, and both its website and mobile app are currently operating normally.

Nevertheless, many customers took to social media to express frustration, particularly as the outage came during one of the busiest shopping periods of the year.

According to The Guardian, a second, separate technical failure also affected contactless payments specifically over the weekend, adding to the confusion and inconvenience for shoppers.

In response, M&S has brought in third-party cyber forensics specialists to assist in the investigation and is working with UK government agencies, including the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).

The retailer has not yet confirmed whether any personal customer data was compromised.

"Customer trust is incredibly important to us, and if the situation changes, an update will be provided as appropriate," the company added.

Marks & Spencer says it will keep the public informed as the situation develops and will continue to implement protective measures to shore up its digital infrastructure.

For now, customers are advised to check the M&S website for updates on service availability and to consider using alternative payment methods when shopping in-store.

M&S is not alone in facing such threats, and when household names are targeted, it affects public perceptions of risk.

Jake Moore, Global Cybersecurity Advisor, ESET commented:

“This highlights the significant impact cyberattacks can have in the public domain. Many ransomware attacks are dealt with behind the scenes which can make people think the problems are eroding but when customers are directly affected, the knock-on effects are far more widely noted.”

The retail sector remains a prime target for cybercriminals, who often aim to exploit high-visibility brands during critical sales periods. By launching attacks during times of peak consumer demand, such as holidays, threat actors seek to maximize operational disruption and pressure companies into paying ransoms quickly.

Experts also point to the increasing use of technology in retail, such as omnichannel shopping, integrated payment systems, and AI-powered recommendation engines, as a double-edged sword.

While these innovations arguably enhance the customer experience, they also broaden the attack surface for malicious actors.

The cyber incident at M&S adds to a growing list of similar incidents affecting major UK organisations.

In September, Transport for London was forced to shut down numerous online services following a cyberattack.

In 2023, retailer WH Smith was targeted, resulting in illegal access to company data, including personal details of current and former staff. This occurred less than twelve months after WH Smith's online card subsidiary, Funky Pigeon, had to suspend orders for about a week following a separate cyberattack.

The increasing frequency of such events aligns with findings from a 2022 government report, which revealed that two out of every five UK businesses had reported encountering cybersecurity breaches or attacks in the preceding 12 months.