Marks & Spencer has apologised to customers after a “cyber incident” affected contactless payments and the pick up of online orders in it stores in recent days.
The retailer told shoppers that delays to click and collect orders have continued but it was “working hard to resolve” the issue.
It told customers and staff they did not need to take any action, suggesting their data has not been accessed.
In a statement to the stock exchange M&S said it had found it “necessary to make some minor, temporary changes to our store operations to protect customers and the business” and was “sorry for any inconvenience experienced”. It said stores remained open and its website and app were operating as normal.
“Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate,” the company said in a statement to the City.
M&S said it had reported the incident to the National Cyber Security Centre and hired cybersecurity experts to help investigate and manage the issue and was “taking actions to further protect our network” to ensure it could continue serving shoppers.
The incident began on Monday with contactless payments and click and collect orders affected in stores across the country. However, there was a separate technical problem on Saturday, which only affected contactless payments.
A shopper at the retailer’s Plymouth store posted on X on Saturday “could not collect my online purchase today, previous visit could not return an item as tills were down …please sort out your poor IT situation”.
Another customer posted on the same platform on Monday: “Nothing working Beckenham [in] London either, no pick ups or returns.”
The attack on M&S follows a run of similar incidents in recent years. In September, Transport for London was forced to close down many online services after a cyber-attack.
In 2023, Royal Mail was forced to ask customers to stop sending parcels and letters to overseas destinations after a cyber incident caused “severe service disruption” to international mail, and WH Smith was hit by an attack in which company data was accessed illegally, including the personal details of current and former employees. That came less than a year after a cyber-attack on WH Smith’s Funky Pigeon website forced it to stop taking orders for about a week.
In 2022, the Guardian asked most of its staff to work from home after it was hit by a ransomware attack in which the personal data of UK staff members was accessed.
According to a government report in 2022, two in five UK businesses had reported cybersecurity breaches or attacks in the previous 12 months.
