M&S restores click-and-collect services after cyberattack in April

Attack expected to dent annual profits of £300m

Marks & Spencer has reinstated its click-and-collect service, months after a severe cyberattack forced the retailer to suspend several key systems.

The company halted online orders for clothing and home delivery via its website and mobile app on 25th April. At the same time, contactless payments and in-store click-and-collect capabilities were also disrupted.

Online home delivery orders began to return gradually in early June, but click-and-collect remained offline until now.

The cyber incident has had a significant financial impact on M&S and is expected to dent annual profits by up to £300 million, though the retailer hopes to offset some losses through insurance.

DragonForce ransomware-as-a-service

The breach has been linked to the DragonForce ransomware-as-a-service operation, believed to be affiliated with the Scattered Spider group. Active since 2023, DragonForce is thought to be behind attacks on other UK retailers including the Co-op and Harrods. Between January and March this year, the group listed 58 victims on its leak site.

In July, the National Crime Agency (NCA) arrested four people in connection with attacks on M&S, the Co-op, and Harrods. “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency's highest priorities,” said Paul Foster, head of the NCA’s National Cyber Crime Unit.

The attack is thought to have involved social engineering tactics, with perpetrators posing as employees or IT help desk staff. In May, the National Cyber Security Centre (NCSC) issued new guidance urging organisations to strengthen authentication and password reset procedures, particularly for privileged accounts such as Domain Admin, Enterprise Admin and Cloud Admin.

Appearing before MPs, chairman Archie Norman refused to confirm if M&S paid a ransom following the hack.

Speaking at a Business and Trade select committee he said it was “not an overstatement to describe it as traumatic”, adding: “We’re still in the rebuild mode and will be for some time to come.”

He said the ordeal was “like an out-of-body experience” and that he had not experienced "anything quite like this" before in his extensive time working in the corporate world.