M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and claims to boost cybersecurity measures.

British retailer Marks & Spencer (M&S), a company with over 140 years of history in food and clothing, experienced a major cybersecurity incident during the Easter break that disrupted some of its essential services.

This event impacted the ability of customers to make contactless payments in their stores and caused delays in the collection of online orders, known as the Click and Collect service. Many customers took to social media platforms to voice their frustrations regarding these issues.

Stuart Machin, the Chief Executive of M&S, issued an apology to customers, acknowledging the disruptions. He explained that the company had to implement temporary adjustments to their store operations as a protective measure for both their customers and the business itself. While the stores remained open and the M&S website and mobile application continued to function normally, the technical difficulties with contactless payments and Click and Collect caused considerable inconvenience.

In response to this incident, M&S promptly engaged external cybersecurity specialists to conduct a thorough investigation and manage the situation effectively. The company also notified key regulatory bodies, including the Information Commissioner’s Office (ICO), the UK’s data protection authority, and the National Cyber Security Centre. An ICO spokesperson confirmed that they were aware of the incident and were in the process of assessing the information provided by M&S.

Furthermore, M&S assured its investors that they were taking proactive steps to enhance the security of their network and ensure the continuation of customer service. In their statement to the London Stock Exchange, M&S emphasized the paramount importance of customer trust and pledged to provide updates if the situation evolved. 

While M&S informed customers that they were actively working to resolve the “limited” delays affecting Click and Collect orders, some shoppers had reported issues even before the official announcement. These earlier complaints included difficulties using gift cards and vouchers within M&S stores. One customer described the situation as a “total failure for customers,” highlighting the lack of communication that could have prevented unnecessary trips to the stores.

The timeline of the incident indicates that while the main cyber incident impacting contactless payments and Click and Collect began on Monday, there was a separate technical problem affecting only contactless payments that occurred on the preceding Saturday. This suggests that M&S was dealing with technical difficulties throughout the weekend and it wasn’t the immediate aftermath of the main cyber incident.

Nevertheless, this incident follows a pattern of similar attacks on UK organizations in recent years. Transport for London had to shut down numerous online services after a cyberattack, Royal Mail faced severe disruptions to international mail services recently resulting in the attackers leaking 144GB of its internal files, and retailer WH Smith experienced a data breach compromising employee information.

James Hadley, Founder and Chief Innovation Officer, Immersive: “Breaches like M&S’s aren’t rare. While they communicated clearly and likely followed tested response plans, such attacks highlight the gap between perceived and actual cyber resilience. Regular cyber drills and realistic crisis simulations are vital for building real confidence and preparing teams to protect critical data in an increasingly high-risk environment.”