Marks & Spencer has suspended all online orders through its website and mobile apps following a cyberattack that has disrupted business operations since late last week.
While browsing remains available, customers can no longer complete purchases online as the company intensifies its response to the incident.
The update was shared via an official statement on M&S’s X account today, confirming the company has paused online transactions “as part of our proactive management of a cyber incident.” The retailer emphasized that physical stores remain open and operational, while the online storefront will continue to serve as a product catalog during the outage.
The decision marks an escalation in M&S’s incident response following earlier disruptions reported on April 19. At that time, customers flagged issues with in-store payment terminals and failed click-and-collect orders. The company acknowledged the disruptions on April 22 in a regulatory filing with the London Stock Exchange, stating it had brought in external cybersecurity experts to contain and investigate the issue.
Founded in 1884, Marks & Spencer Group plc is a key player in British retail, known for its food, clothing, and home goods offerings. It operates a vast network of physical stores throughout the UK and serves around 32 million customers annually. The company has invested heavily in digital transformation in recent years, with its M&S.com platform playing a central role in its strategy.
Until Thursday, M&S had maintained that online shopping and its mobile app were “functioning normally,” even as store-based operations saw partial suspensions. However, persistent technical problems — particularly affecting back-end systems tied to fulfillment and payments — appear to have necessitated a broader pause in digital transactions.
The exact nature of the cyberattack remains undisclosed. The company has not confirmed whether the incident involved ransomware, a data breach, or another form of compromise. It has, however, reported the matter to the UK Information Commissioner’s Office and the National Cyber Security Centre, suggesting the possibility of significant impact or regulatory concerns. No evidence has emerged so far that customer data has been accessed or exfiltrated.
In its latest statement, M&S reiterated that there is currently “no need for customers to take any action,” and assured the public that its teams, working with external cybersecurity specialists, are “working extremely hard to restart online and app shopping.”
The company has not provided a timeline for the restoration of full digital services but promised further updates as the situation evolves.
Customers should remain vigilant for any phishing messages claiming to be from M&S, particularly those asking for login credentials or payment information. M&S account holders may wish to change their passwords as a precaution, especially if they reuse them across other services.
Leave a Reply