Retail giant Marks & Spencer (M&S) has officially confirmed it is managing a significant cybersecurity incident, following widespread reports from customers regarding operational disruptions and payment system outages.
Operational Impact and Company Response
In a formal notice issued this Tuesday, M&S CEO Stuart Machin informed customers that the company has been navigating a cyber incident for several days. Machin emphasized that specific operational adjustments were mandatory to safeguard both the business and consumer interests.
Despite the ongoing investigation, the retailer maintains that its primary digital channels—the official website and mobile application—continue to function without interruption. Physical store locations also remain open to the public.
Investigation and Regulatory Notification
Seeking to contain the fallout, M&S has filed a formal update with the London Stock Exchange. The company confirmed it has retained external cybersecurity experts to conduct a forensic investigation and has proactively notified relevant data protection authorities.
Customer Disruptions and System Status
While the exact nature of the attack remains undisclosed, the impact on the ground has been tangible. Numerous customers reported failures in in-store payment card terminals, while others faced difficulties with order pick-ups. M&S spokesperson Lucy Reynolds confirmed that the company implemented operational restrictions on Monday, specifically targeting “click and collect” services and contactless payment systems.
M&S has since stated that contactless payment functionality has been restored. In a public response on social media, the retailer acknowledged it is “working hard to resolve some technical issues” affecting its stores.
Uncertainty Over Data Privacy
The company has declined to provide further details regarding the scope of the breach or whether sensitive customer data has been compromised. Given that M&S serves an estimated 32 million customers annually, according to its 2024 report, the security of user information remains a critical concern for regulators and the public alike.