Cyber attack on M&S leads to click and collect delays

Marks and Spencer (M&S) says it has been dealing with a "cyber incident" affecting some of its services over the last few days.

The UK retailer said its Click and Collect service had been impacted by technical issues along with its ability to collect contactless payments - with many customers taking to social media to complain about delays.

M&S chief executive Stuart Machin apologised to customers in a note on Tuesday.

He said the company had been forced to temporarily make "small changes" to store operations "to protect you and our business".

"There is no need for you to take any action at this time and if the situation changes, we will let you know," he said.

The Information Commissioner's Office (ICO), the UK's data watchdog, has been notified.

"Marks & Spencer plc has made us aware of an incident and we are assessing the information provided," an ICO spokesperson told the BBC.

In a notice to investors, M&S said it had engaged "external cyber security experts to assist with investigating and managing the incident".

"We are taking actions to further protect our network and ensure we can continue to maintain customer service," it added.

The company said it also reported the incident to the National Cyber Security Centre.

M&S told customers it was working to resolve some "limited" delays to Click and Collect orders.

It comes after some shoppers complained over the weekend about various issues - including being unable to use gift cards or vouchers in stores.

One person called the issues a "total failure for customers" in a post on X.

"A simple message out to customers to save a journey would have worked a treat," they said.

And another said they were unable to pay for clothes using a gift card while shopping at a M&S store in Liverpool.

M&S has confirmed it is still experiencing technical difficulties affecting its ability to process gift cards, alongside Click and Collect orders.

Daniel Card of the Chartered Institute for IT (BCS) said the M&S incident was "a reminder of the gap that often exists between our perception of cyber resilience and the reality".

"Even well-resourced organisations aren't immune, which underlines the importance of action at every level," he said.

He said while this may feel daunting for some smaller organisations, many common vulnerabilities "can be addressed through practical, proportionate steps".

These may include securing devices and email accounts to protect from targeted attempts to compromise a person or business.

This is just the latest in a series of IT problems to hit major high street names.

Morrisons experienced significant problems with their Christmas orders last year, with deliveries cancelled and discounts not applied on the biggest grocery shopping day of the year.

This was followed by two major outages on what was pay day for many in the first two months of this year.

And in January, serious IT problems at Barclays affected the bank's app and online banking.

It was later disclosed the firm could face compensation payments of £12.5m.

In February, several banks – notably Lloyds – faced outages, leaving businesses unable to pay staff.

Ian McShane, a security expert at cyber security company Arctic Wolf, said the issues experienced by M&S over Easter showed that "cyber attackers never take a day off".

"Criminals are always on the look out to cause the most disruption for the least amount of effort," he added.

"Given the long weekend is the second biggest trading event for food and drink retailers after Christmas, this is exactly what happened here as the majority of the British public enjoyed the long weekend."

Additional reporting by Graham Fraser