Marks & Spencer (M&S) has been targeted by a cyberattack, affecting its operations, particularly the Click and Collect service. The British multinational retailer, which runs over 1,400 stores globally, confirmed the incident and is working with cybersecurity experts to manage the situation. In a regulatory filing on the London Stock Exchange, M&S disclosed the cybersecurity incident.
“Marks and Spencer Group plc (the Company, or M&S) has been managing a cyber incident over the past few days,” the statement said. “As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal.”
Although specific details about the cyber incident were not undisclosed, the retailer said that it had reported it to relevant data protection supervisory authorities and the National Cyber Security Centre.
The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, confirmed it had been informed of the situation. “Marks & Spencer has made us aware of an incident and we are assessing the information provided,” a spokesperson told BBC News.
Cyber incident affects M&S’s Click and Collect service
The cyberattack disrupted M&S’s Click and Collect service, and customers were advised to wait for email notifications before collecting orders from stores. Some technical issues were also reported in the contactless payment system. M&S has reached out to affected customers via email, apologising for the inconvenience and assuring them that efforts are underway to restore regular service.
In a communication to customers, M&S chief executive Stuart Machin apologised for the disruption and said the company had made temporary changes to operations as a precautionary measure. “There is no need for you to take any action at this time,” wrote Machin. “If the situation changes, we will let you know.”
There has been no public claim of responsibility for the cyberattack. The company has not confirmed whether the incident involves ransomware or data theft.
The incident follows a series of recent IT-related disruptions affecting major UK retailers and financial institutions. Last year, supermarket chain Morrisons experienced operational issues linked to a cyberattack on its technology provider, Blue Yonder. The company later confirmed that the disruption affected product availability and had an impact on sales during the Christmas period. Earlier this year, banks including Barclays and Lloyds also reported IT disruptions.
Read more: Cyber breaches fall to 43% of UK businesses, but cybercrime remains high
