.png)
3 hours ago
4
Marks & Spencer has halted all orders through its website and apps as the retailer continues to battle the fallout from a cyber-attack that began last week.
The company apologised to shoppers for “this inconvenience” and paused digital orders “as part of our proactive management of a cyber incident”.
“Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping,” it said.
The retailer said shoppers could continue to browse online and shop in its physical stores using cash or card. Contactless payments were restarted on Thursday after being paused earlier this week.
Customers who have already made an online order can collect it in stores once they have received notification but new orders cannot be placed.
M&S said customers did not need to take any action, indicating that their details had not been accessed.
Shares in M&S fell by 4% on Friday after the announcement, making it the biggest faller in the FTSE 100.
Just over a third of M&S’s clothing and homeware sales are made online and the forced stop in orders comes before a busy weekend period and expected heatwave that is likely to spur demand for clothing and kit for outdoor entertaining.
The cyber incident began on Monday, affecting contactless payments and click-and-collect orders in stores across the country.
However, there was a separate technical problem on the Saturday of the busy Easter weekend that affected only contactless payments.
M&S has hired cybersecurity experts to help investigate and manage the problem and said it was taking actions to further protect the network to ensure it could continue serving shoppers.
Security experts warned shoppers to watch out for scammers capitalising on the high profile incident.
Vonny Gamot, the head of European and Middle Eastern operations at the online protection company McAfee, said: “Unfortunately, fraudsters looking to capitalise on the situation will launch further rounds of phishing attacks, usually via email or text, that direct people to bogus sites designed to steal sensitive information.
after newsletter promotion
“Whether it’s an email requesting an alternate payment method due to missed transactions or a text asking you to reset your login details, it’s always wise to keep a cautious eye open.”
The attack on M&S follows a number of similar incidents in recent years. In September, Transport for London was forced to close down many online services after a cyber-attack.
In 2023, Royal Mail was forced to ask customers to stop sending parcels and letters to overseas destinations after a cyber incident caused “severe service disruption” to international mail, and WH Smith was hit by an attack in which company data was accessed illegally, including the personal details of current and former employees. That came less than a year after a cyber-attack on WH Smith’s Funky Pigeon website forced it to stop taking orders for about a week.
In 2022, the Guardian asked most of its staff to work from home after it was hit by a ransomware attack in which the personal data of UK staff members was accessed.
According to a government report in 2022, two in five UK businesses had reported cybersecurity breaches or attacks in the previous 12 months.
