In recent weeks, M&S, one of the UK’s most recognised retailers, has faced significant operational disruption following a highly targeted cyber-attack. The incident, which occurred over the Easter weekend, led to the suspension of all online orders via the M&S website, mobile apps, and telephone. Though customers can still browse products online, the ability to place orders remains paused – and is likely to remain so until July.
M&S has described the cyber-attack as “sophisticated and targeted”, with initial effects seen in click-and-collect services and contactless payments. The breach did not directly compromise internal systems, but rather entered via a third-party supplier – a stark reminder of the risks posed by supply chain vulnerabilities. The retailer took immediate action by proactively taking down its own online services to safeguard customer data and prevent further intrusion.
CEO Stuart Machin highlighted the company’s swift response, crediting this to a cybersecurity simulation exercise held last year. According to Mr Machin, the business had contingency plans in place, allowing them to mobilise the right teams and take immediate defensive steps.
The police are reportedly investigating a well-known English-speaking hacker group called Scattered Spider, thought to be behind similar attacks on other major UK retailers. However, M&S appears to have been the most significantly impacted.
M&S has warned that the attack could cost the business up to £300 million in lost profits, with only a portion expected to be recovered through cyber-insurance. This figure accounts for both lost online sales and the additional costs of operating manually during the disruption.
Despite this, the company insists that the attack is a “bump in the road” and believes it will emerge stronger, with a renewed focus on digital infrastructure as part of its wider transformation strategy.
M&S plans a gradual return to online services in the coming weeks, aiming for 85% of its product range to be available relatively quickly. While disruption is expected to continue into July, the business remains optimistic about long-term recovery, backed by strong performance in the year leading up to the attack.
This incident underscores a critical truth: no business is immune to cyber threats — even one as established as M&S. It also highlights the importance of robust cyber readiness, including regular simulations, third-party risk assessments, and swift response planning.
If you’re unsure about your organisation’s cybersecurity posture, we can help. We offer a Free Online Cyber Security Assessment to assess your current defences and identify potential vulnerabilities . It’s a risk-free way to gain valuable insights and peace of mind.
