Marks & Spencer (M&S), one of the UK’s largest retailers, experienced a significant cyber incident during Easter weekend 2025 that disrupted operations across all 1,000+ UK stores. The attack primarily affected contactless payments, online order processing (Click & Collect), and gift card systems, forcing the company to temporarily revert to PIN-based transactions and cash payments1. The incident highlights growing vulnerabilities in retail payment infrastructure during high-traffic periods.
Technical Impact and Response
The cyber incident caused a cascading failure across multiple M&S systems beginning April 19, 2025. Contactless payment systems were disabled as a precautionary measure, requiring customers to either enter PINs or use cash2. Backend systems supporting Click & Collect orders failed completely, leading to delayed order fulfillment and customer complaints about wasted trips to stores. M&S engaged cybersecurity firms Arctic Wolf and NCC Group to investigate and contain the breach, isolating affected systems within 48 hours3.
Forensic analysis revealed the attackers likely gained initial access through a third-party vendor system, though the exact vector remains unconfirmed4. The incident shares characteristics with previous retail sector attacks, including the 2023 Royal Mail and WH Smith breaches, where attackers targeted financial transaction systems during peak operational periods5.
Operational and Security Measures
M&S implemented several mitigation strategies during the incident:
- Disabled all contactless payment terminals chain-wide
- Paused gift card processing and in-store returns
- Deployed external cybersecurity teams to assess system integrity
- Notified UK authorities including the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO)
The company’s stock price initially dropped 1.2% following disclosure to the London Stock Exchange but recovered within 24 hours6. M&S CEO Stuart Machin issued public apologies and assured customers no personal data was compromised, though the ICO continues to monitor for potential GDPR violations7.
Industry Context and Security Implications
Retail systems remain prime targets due to their complex integration of financial transactions, supply chain management, and customer data. According to NCC Group’s 2024 Cyber Threat Landscape Report, 40% of UK businesses experienced breaches in 2022, with ransomware attacks increasing 50% in early 20258. The M&S incident demonstrates how attackers increasingly time operations around holidays and weekends when response capabilities may be reduced.
Security experts note the attack’s focus on operational disruption rather than data theft suggests possible ransomware preparation or testing of system vulnerabilities. M&S offered £10 gift cards to affected Click & Collect customers as compensation, though some criticized this as inadequate given the scale of disruption9.
Lessons and Recommendations
The M&S cyber incident provides several key takeaways for organizations with similar retail payment infrastructures:
| Area | Recommendation |
|---|---|
| Third-Party Risk | Implement stricter vendor access controls and continuous monitoring |
| Payment Systems | Maintain offline transaction capabilities for failover scenarios |
| Incident Response | Develop holiday/weekend-specific response protocols |
| Customer Communication | Establish clear channels for real-time status updates |
As retail systems grow more interconnected, the attack surface expands correspondingly. The M&S case demonstrates how single points of failure in payment processing can cascade across multiple business functions. While the company avoided confirmed data loss, the operational impact and reputational damage highlight the need for robust contingency planning in retail cybersecurity strategies.
References
- “Marks & Spencer confirms cyberattack as customers face delayed orders,” BleepingComputer, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/marks-and-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
- “Marks and Spencer has suffered a cyberattack: Here’s what we know so far,” TechRadar, 2025. [Online]. Available: https://www.techradar.com/pro/security/marks-and-spencer-has-suffered-a-cyberattack-heres-what-we-know-so-far
- “Cyber Incident Update,” London Stock Exchange, 2025. [Online]. Available: https://www.londonstockexchange.com/news-article/MKS/cyber-incident-update/16999905
- “M&S informs London Stock Exchange, customers of cyber incident,” Silicon Republic, 2025. [Online]. Available: https://www.siliconrepublic.com/enterprise/m-and-s-informs-london-stock-exchange-customers-of-cyber-incident
- “Final NCC Group Cyber Threat Landscape Report 2024 – Retail Sector,” NCC Group, 2024. [Online]. Available: https://insights.nccgroup.com/l/898251/2024-09-18/31k3jtn/898251/17266810098g6p02gV/Final_NCC_Group_Cyber_Threat_Landscape_Report_2024___Retail_Sector.pdf
- “British retailer M&S discloses cyber incident,” Reuters, 2025. [Online]. Available: https://www.reuters.com/business/retail-consumer/british-retailer-ms-discloses-cyber-incident-2025-04-22/
- “Marks & Spencer apologises for cyber incident affecting contactless payments and online orders,” The Guardian, 2025. [Online]. Available: https://www.theguardian.com/business/2025/apr/22/marks-and-spencer-apologises-cyber-incident-contactless-payments-online-orders
- “M&S CEO advises on cyber incident in customer email,” SC Media UK, 2025. [Online]. Available: https://insight.scmagazineuk.com/ms-ceo-advises-on-cyber-incident-in-customer-email
- “Marks & Spencer cyber incident hit stores over Easter,” Daily Mail, 2025. [Online]. Available: https://www.dailymail.co.uk/news/article-14635711/marks-spencer-cyber-incident-hit-stores-easter.html
