The disruption has now escalated, with M&S completely pausing all online and app-based orders, encompassing food deliveries and clothing purchases. The company has also announced it will be issuing refunds for orders placed by customers on Friday, indicating the severity of the ongoing technical difficulties.
The news of the online shutdown triggered a negative reaction in the financial markets, with M&S shares experiencing a 5% drop following the announcement.
In a public statement posted on X, M&S conveyed its apologies for the significant inconvenience caused. "We are truly sorry for this inconvenience," the retailer wrote. “Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping. We are incredibly grateful to our customers, colleagues and partners for their understanding and support.” The company reassured customers that its physical stores remain open and operational despite the online disruptions.
The cyber incident has triggered a cascade of problems beyond just online ordering. Previously, customers had reported issues with contactless payments, the Click & Collect service, and the inability to use gift cards as payment methods. Since the suspension of online ordering, M&S has continued to address customer queries on social media, confirming that these initial problems persist.
Responding to customer inquiries on X, M&S stated, “Gift cards, e-gift cards and credit receipts can’t currently be used as a payment method in store or online.” However, the retailer offered some reassurance to customers awaiting Click & Collect orders, advising that if they had already received confirmation emails, they should still be able to collect their items in-store. M&S also clarified its policy on undelivered parcels, stating, “We’re holding all parcels in store until further notice, so there’s no risk of it being sent back.”
Despite these assurances, some customers have voiced criticism regarding M&S's handling of the outage, particularly concerning the clarity and accuracy of their communication. One frustrated customer shared on X, “After being told yesterday in the evening the problem with gift cards was sorted, went in store today and was sent away again,” marking their fourth consecutive unsuccessful attempt to use their M&S gift card.
Amidst the widespread frustration, some customers have acknowledged the efforts of in-store staff, praising their service under challenging circumstances and urging others to refrain from directing their anger at frontline workers. However, many customers remain uncertain about the impact of the ongoing cyber attack on existing purchases, orders, and returns.
The Information Commissioner’s Office (ICO) has confirmed it is "assessing the information provided" by M&S regarding the incident. The company had previously reported the cyber attack to both the National Cyber Security Centre (NCSC), and the National Crime Agency (NCA) has stated it is collaborating with the NCSC to provide support to M&S.
In an update provided to investors on Friday, M&S explained that the decision to temporarily halt online orders in the UK was a component of its "proactive management" strategy in response to the cyber incident. “The M&S team – supported by leading experts – is working extremely hard to restore online operations and continue to serve customers well,” the company reiterated.
Experts in the cybersecurity field are now speculating about the potential nature and impact of the attack. Nathaniel Jones, Vice President of Security & AI Strategy at Darktrace, highlighted the significant repercussions of such incidents, stating that M&S halting online sales demonstrates "the cascading impact these attacks can have on revenue streams." He further noted how quickly cyber incidents can "cripple retail operations across both digital and physical channels."
William Wright from Closed Door Security echoed these concerns, suggesting the outage could have a "material impact" on M&S's financial performance. He pointed out that "data shows almost a quarter of the store’s sales happen online, so no matter how long this pause is put in place, it will hurt M&S financially."
M&S joins a growing list of major retailers and financial institutions that have experienced significant disruptions to their online services in recent months. Last year, Morrisons faced substantial issues with its Christmas orders, while earlier this year, major banking outages at Barclays and Lloyds caused widespread inconvenience, including delays in salary payments for many. The ongoing situation at M&S underscores the increasing vulnerability of large organizations to sophisticated cyber threats and the potential for significant disruption to their operations and customer service.