Marks & Spencer (M&S) says a cyber incident was behind the disruption of its contactless payment and the click and collect delays.
The high street retailer operates over 1,000 stores across the United Kingdom, stocking clothing, homeware, and produce items.
The retail giant has assured its customers that it was working relentlessly to resolve the cybersecurity issue, and they need not take any action.
Marks & Spencer cyber incident disrupts online shopping
M&S said it had to “make some minor, temporary changes to our store operations to protect customers and the business,” suggesting that the cyber incident was a ransomware attack.
The retail giant also hired external cybersecurity experts, took additional actions to further protect its network, and notified the Stock Exchange, the Information Commissioner’s Office (ICO), and the National Cyber Security Centre (NCSC).
Meanwhile, customers complained on social media about the company’s failure to warn them in advance, resulting in wasted time and effort to unsuccessfully pick up their items.
“Total failure for customers,” one customer tweeted. “Click and collect system down until Friday. No manual way to find parcels. A simple message out to customers to save a journey would have worked a treat.”
However, the company says it was working to “ensure we can continue to maintain customer service.” Nonetheless, technical difficulties continue to affect the retail giant’s ability to process payments, gift cards, and item collections. Similarly, customers were warned to expect limited delays until further notice.
Shortly after, the company said it has halted all orders via its websites, apps, and phone, although its product listing remained accessible online.
“We are truly sorry for this inconvenience. Our stores are open to welcome customers,” the company said.
Meanwhile, Marks & Spencer has moved some internal processes offline to mitigate the impacts of the cyber incident.
“We have made the proactive decision to move some of our processes offline to protect our colleagues, partners, suppliers, and our business,” the company stated. “We are working hard to restore our services and minimize disruption, and are being supported by industry-leading experts.”
So far, no threat actor has taken credit for the Marks & Spencer cyber incident, and the attack vector remains undisclosed.
However, Marks & Spencer’s assurance that customers do not need to take further action suggests that the cyber incident did not expose personal information.
Customers should take precautionary action
Nonetheless, customers should take precautionary action by changing their passwords and remaining vigilant for potential phishing attacks.
Typically, uncovering the full extent of a cyber incident of this scale can take weeks or even months. Similarly, retail and delivery scams are very common, and indiscriminate fraudsters could exploit the M&S cyber incident for spray-and-pray phishing attacks.
Subsequently, M&S customers should be wary of advance delivery fee scams promising to deliver their items to their doorsteps due to technical difficulties affecting Marks & Spencer.
They should also avoid sharing credit card numbers, account passwords, or other sensitive personal information online, especially via social media or email, unless it is through verified and trusted communication channels.
For now, M&S has confirmed that all contactless payments have resumed operation, and the company continues to receive positive feedback from customers.
“The recent cybersecurity incident at Marks & Spencer serves as a reminder of the interdependencies in modern retail operations,” warned Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “The disruption to Click and Collect services and contactless payments underscores how any technical issue can have far-reaching consequences across an entire organization.”
