M&S Halts Online Orders After Cyber Incident

Retail giant Marks & Spencer (M&S) suspended all online orders via its website and apps on Friday, April 25th, 2025, as it continued to grapple with the significant fallout from a "cyber incident" that began disrupting services over the Easter weekend.
The cyber incident and service disruption remains ongoing as of 30 April.

The incident initially impacted in-store contactless payments and continues to cause problems for Click & Collect services, leading to widespread customer inconvenience. While contactless payments have since been restored, the complete pause on online sales marked a serious escalation in the company's response to the attack. M&S confirmed its physical stores remain open to customers.

The disruption first surfaced over the Easter Bank Holiday weekend, typically a busy shopping period, with customers reporting difficulties making contactless payments, collecting online orders via Click & Collect, and using gift cards or vouchers in stores.

M&S officially acknowledged it was "managing a cyber incident" on Tuesday, April 23rd, through public statements and a filing with the London Stock Exchange. Chief Executive Stuart Machin apologized to customers for the disruption caused by what were initially described as "minor, temporary changes" necessary to protect the business. However, by Friday, April 25th, the company took the more drastic step of pausing all online orders across its UK, Ireland, and some international websites and apps, stating this was part of its "proactive management" of the incident. This move came despite earlier assurances that the website and app were operating normally.

Online ordering suspended on M&S website

The shift from addressing specific service issues to halting all online transactions, a significant revenue stream estimated to account for around 30% of UK clothing and home sales , suggested the incident's severity required isolating major systems to prevent further compromise and regain control. Further indicating the internal scope of the issue, M&S reportedly restricted remote-working employees from accessing some internal IT systems around April 28th, likely to prevent the attack spreading through its corporate network.

The cyber incident has caused significant disruption for shoppers. While contactless payments, initially affected over the weekend , were confirmed restored by Friday, April 25th , other key services remained impacted. The Click & Collect service faced ongoing significant disruption, with collections paused or delayed, leading to customer frustration and wasted journeys to stores. M&S confirmed it was holding parcels in-store "until further notice". Additionally, customers were unable to use gift cards, e-gift cards, or credit receipts for payment either online or in-store. 

The differing recovery times for services like contactless payments versus the more complex, backend-integrated Click & Collect and gift card systems pointed to the attack potentially affecting multiple, interconnected parts of M&S's operational infrastructure.

M&S issued apologies and updates via official channels and social media. The company repeatedly advised customers that there was "no need for them to take any action" concerning their personal data, while promising further updates if the situation changed. This focus on data security appeared aimed at reassuring customers, although cybersecurity experts warned users to remain vigilant for potential phishing scams attempting to exploit the situation.

M&S confirmed it had engaged "leading" external cybersecurity experts to investigate and manage the response and had reported the incident to the UK's National Cyber Security Centre (NCSC) and relevant data protection authorities. The NCSC confirmed it was supporting M&S.

The cyberattack had immediate financial repercussions, with M&S shares dropping nearly 5% following the announcement of the online order suspension.

While M&S has not officially confirmed the nature of the attack, reports citing unnamed sources and expert analysis suggested it could be a ransomware incident orchestrated by a criminal group.

Multiple sources are now indicating a potential link between the M&S cyber incident and the Scattered Spider hacking group. These reports suggest that the attack on M&S may have involved tactics and even specific ransomware (DragonForce) associated with Scattered Spider. 

Scattered Spider, also known by several other names, is a financially motivated cybercriminal group primarily composed of young, English-speaking individuals. They are known for sophisticated social engineering tactics and have been linked to the ALPHV/BlackCat ransomware operation. This group has targeted various sectors, including telecommunications, finance, and hospitality, and has a history of high-profile attacks.

Download IISF profile of the Scattered Spider Group

Reference Sources include

techdigest.tv,

grocerygazette.co.uk,

ndtvprofit.com,

cybernews.com,

therecord.media, 

corporate.marksandspencer.com
theregister.com

retail-insight-network.com

retailgazette.co.uk

itv.com

thejournal.ie

infosecurity-magazine.com

bleepingcomputer.com

independent.co.uk

gov.uk

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more