Although contactless payments have been restored in shops, a week of problems still means that on-line ordering remains on pause at M&S.
The firm reported an incident to the National Cyber Security Centre last Monday.
Contactless payments and ‘click and collect’ orders were immediately affected online and across all UK stores.
This followed separate technical problems with contactless payments on April 19.
The attack on M&S is one of a series of incidents in recent years.
In September 2025, Transport for London was forced to close its online services. In 2023, Royal Mail a cyber incident caused severe service disruption forcing the company to ask customers to stop sending parcels and letters overseas. The same year WH Smith was hit by an attack in which company data and personal details of employees were accessed illegally.
According to a government report published in March 2022, two out of five businesses reported cyber security breaches or attacks in the previous year. One in three businesses were suffering attacks at least once a week.
Impact on M&S
Shares initially fell by 4% immediately after the announcement, ending 2.3% down. This drop made the retailer one of the biggest fallers in the FTSE 100.
A third of the retailers clothing and homeware sales are made on-line. Nicholas Found, head of commercial content at Retail Economics, said: “The cyber attack on Marks and Spencer is a stark reminder that no retailer, no matter how established or digitally sophisticated, is immune from the escalating threat of cybercrime.”
M&S has hired cyber security experts to help and investigate and manage the problem.
The attack is said to have originated at one of M&S’ service suppliers.
Online sales at M&S which account for a daily average of £3.8 million have been suspended for a fifth day.
What WM businesses can do to protect themselves
Mike Osbourne, MD at Intercity Managed Services, said one business falls victim to cyber every 14 seconds, so it’s no longer a case of if, but when, you will need to manage a cyber attack.
Deep fake technology and AI enhanced attacks are making basic attempts to hack businesses far more sophisticated and believable, and it only takes one fallible employee to fall victim.
Businesses must plan for the inevitable now rather than hope for the best. There are five key areas to consider:
- Ensure IT and data is secured to industry best practice. The government has launched the Cyber Essentials framework as a minimum set of standards. Use a third party to test access at least once per year.
- Educate staff. The ‘Human Firewall’ is as important as securing the tech. Ensure staff are trained on the types of cyber attacks and regularly test them with simulated attacks.
- Have a cyber Response plan ready in advance. Trying to make one up on the spur of the moment is a recipe for disaster. There is a ‘play book’ that has been gleaned from the experience of others – use it and test yourself annually.
- Communicate well, often and honestly. M&S has communicated well. Good comms can buy you time to recover and provide reassurance to staff and customers.
- Report it. If you have cyber insurance, you provider will need to know immediately and will likely provide specialist assistance. There is also a legal obligation to report any suspected loss of personal data to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
More information can be found at the National Cyber Security Centre and more locally firms like Intercity Technology is working with the Greater Birmingham Chamber of Commerce to provide awareness and training events. They also offer a Cyber Assessment Framework that helps to assess, improve and train businesses on cyber preparedness.
