- M&S faced with a continuous disturbance after a cyber attack
- The attack assigned contactless payment and click and collection systems
- It is still not clear if customer data is affected
The British retail giant Marks Marks and Spencer had to withdraw certain offline systems and processes after undergoing a cyber attack that deactivated the endless and click and collect services in stores.
The disturbance has now continued for several days, many stores unable to treat contactless payments, and now click and collect a break in all stores. New updates have confirmed that M&S has now interrupted online orders because it deals with the attack, reports independent reports.
The retailer confirmed in a press release that to protect colleagues, partners, suppliers and the company, M&S “made the proactive decision to move some [of our] Offline process ”, which would be consistent with the response to a ransomware attack – although it is not yet clear if this is the case.
Retail at risk
Physical stores, the website and the M&S application are always operational, but this disturbance could be seriously expensive for a store as large as it is – because operational losses and the reputation of store reputation can be expensive.
The retail industry is a common target for cybercriminals, because even a few hours of stopping can cost millions of dollars, which makes companies more likely to pay a ransom, and therefore more vulnerable.
Earlier in 2025, the Walmart ‘Sam’s Club’ membership program was struck by a ransomware attack which would have affected thousands of staff – illustrating the vulnerability of the sector.
“The retail industry operates on a very low profit margin, and therefore the amount of attention or budget that they can grant to the fight against their cybersecurity posture are generally rare,” explains Pierre Noel, Field Ciso Emea at Encul.
“To remedy this, retailers must implement a continuous program for quantification of risks quantification. One of its results is to generate and evaluate credible incident scenarios, as well as identify attenuation controls and their associated costs. This information is very significant for senior executives and advice, communicates effectively, and their responsibility for determining the risks that are acceptable and which are not. ”
