Marks & Spencer suffers a cyberattack disrupting Click & Collect and contactless payments. Stores remain open as experts investigate. No customer data breach confirmed

Continue reading
British retail giant Marks \& Spencer (M\&S) has confirmed it is managing a cyberattack that has disrupted several key customer services, including its Click and Collect system and contactless payment capabilities. The incident, disclosed on April 22, 2025, has forced the company to implement temporary operational changes while it works with external cybersecurity experts to investigate and resolve the situation.
M\&S revealed that it has been managing a cyber incident for several days, prompting the company to make what it described as "minor, temporary changes" to its store operations[^1][^2]. The cyber incident has primarily affected the retailer's Click and Collect system, causing delays for customers awaiting online orders[^1]. Customers have been advised to wait for confirmation emails before visiting stores for pickups[^9].
Beyond Click and Collect disruptions, the attack has also impacted:
Despite these disruptions, M\&S has emphasized that all physical stores remain open and that its website and mobile app continue to operate normally[^1][^5][^6]. The company has not disclosed specific details regarding the nature of the cyberattack or whether customer data has been compromised[^1][^3].
The cyber incident appears to have begun during the Easter Bank Holiday weekend, with customer complaints appearing on social media platforms as early as Saturday, April 19, 2025[^3][^11]. The timing is particularly significant as Easter represents the second busiest trading period for retailers after Christmas[^10], potentially maximizing the impact on both M\&S operations and customer experience.
M\&S officially confirmed the incident on Tuesday, April 22, 2025, through a statement to the London Stock Exchange and direct communications to customers[^5][^7]. As of April 23, 2025, the company was still working to resolve the issues[^1][^6].
Upon discovering the cyber incident, M\&S implemented a multi-faceted response strategy focusing on containment, investigation, and customer communication.
M\&S has engaged external cybersecurity experts to assist with investigating and managing the incident[^1][^6][^9]. The company stated it is "taking actions to further protect our network and ensure we can continue to maintain customer service"[^7][^9]. These actions include reinforcing network security while working to restore affected services[^1].
As required by regulations, M\&S has reported the incident to:
M\&S Chief Executive Stuart Machin issued a statement apologizing for the inconvenience caused to customers[^2][^10]. The company has emphasized that "customer trust is incredibly important" and promised to provide updates if the situation changes[^5][^7].
William Dixon, a Senior Associate Fellow for Cyber and International Security at the Royal United Services Institute (RUSI), praised M\&S's customer communications about the incident as "textbook," highlighting the empathy, transparency, and reassurance provided in their messaging[^2].
While M\&S has not confirmed the specific type of cyberattack, cybersecurity experts have offered several insights based on the pattern of disruption.
The disruption to payments and online services suggests a possible ransomware attack[^3][^9]. If ransomware is indeed behind this attack, data may have been stolen to be used as leverage to convince the company to pay a ransom[^9]. As of April 23, 2025, no ransomware group or threat actor had claimed responsibility for the attack[^1][^9].
Cybersecurity analysts suggest that if ransomware is involved, attackers may attempt to pressure M\&S privately before making any public statements or demands[^1]. This aligns with typical ransomware tactics where stolen data is often used as leverage to extract payments from victims[^1].
The timing of the attack during the Easter Bank Holiday weekend appears strategic. Ian McShane, a security expert at cybersecurity firm Arctic Wolf, noted that the challenges faced by M\&S demonstrate that "cyber attackers never take a day off"[^10]. He explained that "criminals are always seeking to create the most disruption with the least effort," and targeting a major retailer during a busy holiday shopping period maximizes impact[^10][^11].
The M\&S cyber incident is not occurring in isolation but rather as part of a concerning trend affecting major organizations in the UK and globally.
The retail sector remains a prime target for cybercriminals for several reasons:
According to reports, the consumer cyclicals and non-cyclicals sectors, which encompass retailers, were among the top five most targeted verticals by ransomware gangs in early 2024[^11].
This incident adds to a growing list of similar cyberattacks affecting major UK organizations:
A 2022 government report revealed that 39% of UK businesses reported cybersecurity breaches or attacks in a 12-month period, highlighting the widespread nature of the threat[^3][^8].
Cybersecurity experts have provided several insights regarding the M\&S incident and its implications for organizational security practices.
James Hadley, Founder and CIO at cybersecurity training firm Immersive, noted: "While M\&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities"[^2].
Jamie Moles, Senior Technical Manager at ExtraHop, emphasized the importance of early detection: "Incidents like this demonstrate how essential it is to have real-time visibility, threat detection and rapid response capabilities across all digital infrastructure. Network visibility can play a pivotal role, helping organizations detect anomalies early, isolate potential threats and maintain service continuity"[^2].
Daniel Card from Chartered for ITBCS remarked that the M\&S incident serves as a "reminder the gap often exists between our perception of cyber resilience and the reality"[^10]. He noted that even well-equipped organizations are not immune to attacks.
The cyberattack comes at a critical time for M\&S, with its financial year having ended on March 29, 2025, and full-year results scheduled to be announced on May 21, 2025[^6][^15]. Stakeholders will be watching closely to see if the incident has any material impact on performance or customer confidence[^6].
The company's proactive engagement with authorities and cybersecurity experts signals a robust approach to crisis management, aiming to restore full confidence among its customers and investors[^6]. This incident will likely serve as an important test of M\&S's cyber resilience and crisis management capabilities.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.