Marks & Spencer Faces Cybersecurity Incident Disrupting Payment Systems
Marks & Spencer (M&S), a venerable British retailer with over 140 years in the food and clothing sectors, has recently been the victim of a significant cyberattack that unfolded during the Easter period. The incident disrupted vital services, impacting customers’ ability to execute contactless payments in stores and leading to delays in their Click and Collect service—a critical component of their online sales strategy.
As customers encountered these operational setbacks, many took to social media to express their dissatisfaction. M&S’s Chief Executive, Stuart Machin, publicly acknowledged the disruptions, extending an apology to affected customers. He noted that while their stores remained open and the M&S website and mobile app were operational, adjustments had to be made to ensure the protection of both customers and the business amidst the technical challenges.
In an immediate response to the incident, M&S engaged external cybersecurity specialists to thoroughly investigate the breach and mitigate the ongoing situation. The retailer also informed key regulatory authorities, including the Information Commissioner’s Office (ICO) and the National Cyber Security Centre, about the intrusion. An ICO spokesperson has confirmed their awareness and is evaluating the details provided by M&S.
Furthermore, M&S assured investors of the proactive steps being taken to enhance cybersecurity protocols and maintain effective customer service continuity. In a statement to the London Stock Exchange, the retailer stressed the importance of maintaining customer trust and committed to keeping stakeholders updated as more information becomes available.
While M&S has been transparent about working to resolve the “limited” disruptions with Click and Collect orders, reports indicate that some customers had encountered issues even prior to the official announcement. Complaints included difficulties redeeming gift cards and vouchers within M&S stores. One frustrated shopper described the situation as a complete failure in customer communication, which could have prevented unnecessary visits to stores amid the operational crises.
Notably, the timeline surrounding the incident suggests that while the primary issue significantly affecting contactless payments and Click and Collect services began on a Monday, a related technical problem affecting only the contactless payment system emerged the preceding Saturday. This indicates that M&S was grappling with technical challenges throughout the weekend, rather than only reacting to the main cyber incident.
This event is not isolated; it is part of a growing trend of cybersecurity breaches impacting various UK organizations. Following similar incidents, Transport for London had to suspend multiple online services due to a cyberattack. Royal Mail recently faced severe disruptions to its international services due to a breach that resulted in the exfiltration of 144GB of sensitive data, and retailer WH Smith encountered a data breach affecting employee information.
Cybersecurity experts emphasize that incidents like M&S’s are becoming increasingly common. James Hadley, Founder and Chief Innovation Officer of a cybersecurity firm, noted that such breaches reveal the disparity between perceived and actual cyber resilience within organizations. Regular cyber drills and realistic crisis simulations are essential to build genuine confidence and prepare teams to safeguard critical data amid a growing threat landscape.
In evaluating the tactics and techniques potentially employed during this attack, one could reference the MITRE ATT&CK framework, which identifies adversarial actions ranging from initial access through various means to privilege escalation and data exfiltration. This structured approach allows organizations to better understand and anticipate threats in an era where cyberattacks are increasingly sophisticated and prevalent.
