The contactless payment chaos Marks & Spencer customers encountered this week was as a result of a cyber incident, it is understood.
The retailler has apologised for the disruption, which left shoppers unable to accept contactless payments or process click-and-collect orders across several of its UK stores. Customers vented their anger on social media, including X, as employees asked guests to pay with cash.
In a statement to the stock exchange, M&S has now said it has had to make “minor, temporary changes” to its operations following the cyber incident. It added: “Marks and Spencer Group plc (the Company, or M&S) has been managing a cyber incident over the past few days.
“As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal.”
Are you affected by the M&S cyber incident? Contact webnews@mirror.co.uk
The statement continued: “The company has engaged external cyber security experts to assist with investigating and managing the incident. We are taking actions to further protect our network and ensure we can continue to maintain customer service.
“In parallel, the company has reported the incident to the relevant data protection supervisory authorities and the National Cyber Security Centre. Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate. M&S’ financial year ended on 29 March 2025, with full year results scheduled to be announced on May 21, 2025.”
The firm said customers and staff do not need to take any action, suggesting their data has not been accessed. However, shoppers were more angry about the lack of communication and their struggle to pay for items on Monday and, in some cases, on Tuesday as well.
A shopper at the retailer’s Plymouth store posted on X on Saturday that they “could not collect my online purchase today, previous visit could not return an item as tills were down …please sort out your poor IT situation”. Another customer posted on the same platform on Monday: “Nothing working Beckenham [in] London either, no pick ups or returns.”
In recent years, there has been a run of similar incidents, including the cyber attack Transport for London (TfL) encountered. During this episode, TfL was forced to suspend many of its online services.
And In 2023, Royal Mail was forced to ask customers to stop sending parcels and letters to overseas destinations after a cyber incident caused “severe service disruption” to international mail.
At Reach and across our entities we and our partners use information collected through cookies and other identifiers from your device to improve experience on our site, analyse how it is used and to show personalised advertising. You can opt out of the sale or sharing of your data, at any time clicking the “Do Not Sell or Share my Data” button at the bottom of the webpage. Please note that your preferences are browser specific. Use of our website and any of our services represents your acceptance of the use of cookies and consent to the practices described in our Privacy Notice and Cookie Notice.
