Over the past few days, Marks and Spencer’s (M&S) has been hit by a cyber incident that affected its contactless payments and online ordering systems.
The issue started a few days ago, where customers on X were complaining about not being able to pick up online orders. This then became a wider issue, as customers were no longer able to pay with contactless cards. This left many people having to abandon their shopping and became a wider revenue threat for M&S.
According to UK Finance, in 2023, 93.4% of in-store card transactions in the UK under 拢100 were contactless. For a national retailer, the inability to accept these payments can have huge effects on the business.
In a note to all customers, the CEO announced that customers did not have to take any issue, and that the supermarket was taking steps to resolve the issue. However, the incident is not the first of its kind in the UK and raises the question: Do retailers take cybersecurity seriously enough?
Cyber Security Incidents For UK Retailers
The incident at M&S is disruptive, but it’s not unique. Over the years, a handful of UK high street names have had their own cybersecurity incidents, some of these include:
JD Sports:听In 2023, JD Sports suffered a cyberattack that leaked 10m customers data, including names, delivery addresses and order history.
WH Smith:听WH Smith was hit by an attack in 2013, where hackers accessed the personal details of their current and former staff.
Zellis: In June 2023, the company looking after British Airways’, BBC and Boots’ payroll (Zellis) announced it had suffered a cyber attack, leaking important details of all employees. This left staff vulnerable to fraud.
British Airways: Only a few years before the Zellis incident, in 2018, hackers breached British Airways’ website and app, stealing the personal and financial information of around 400,000 people. This led to British Airways paying a 拢20m fine for not protecting the details of their customers.
So we know that businesses are at risk of cyber attacks – but the real question is – what more can they do to prevent it?
To find out, we asked the experts for their thoughts on the M&S incident and advice to other retailers. Here’s what they had to say…
Our Experts
- Dennis Martin, Crisis Management and Business Resilience Specialist at Axians UK
- Jamie Moles, Senior Technical Manager at ExtraHop
- Rob Cottrill, Technology Director at ANS
- Jonathan Dedman, Director at Cloudhouse
- Rebecca Moody, Head of Data Research at Comparitech
- James Hadley, Founder and Chief Innovation Officer at Immersive
- James Lei, Chief Operating Officer at Sparrow
Dennis Martin, Crisis Management and Business Resilience Specialist at Axians UK
鈥淚ncidents like this serve as a reminder that cybersecurity is no longer just an IT concern, but a core operational risk. M&S鈥檚 swift action and transparency in working with the NCSC is exactly the kind of leadership we need to see more of across the industry.
“What鈥檚 crucial now is learning from this, ensuring systems and operational processes are resilient, communications are clear and contingency plans are in place and tested regularly. As cyber threats become more sophisticated, it鈥檚 not about eliminating risk entirely, but about responding effectively and maintaining customer trust when the unexpected happens.”
Jamie Moles, Senior Technical Manager at ExtraHop
鈥淲hile we don’t yet have the full details of the M&S cyber incident, the company’s dedication to protecting the network highlights the critical importance of a modern network security strategy.
“Incidents like this demonstrate how essential it is to have real-time visibility, threat detection and rapid response capabilities across all digital infrastructure. Network visibility can play a pivotal role, helping organisations detect anomalies early, isolate potential threats and maintain service continuity.
“In today鈥檚 environment of increasingly sophisticated attacks, proactive network security isn鈥檛 just a technical requirement, it鈥檚 a core part of exposing risks and maintaining operational resilience.鈥
Rob Cottrill, Technology Director at ANS
鈥淲hile we do not yet know the nature of the cyber incident, an immediate priority for impacted Dell customers will be to be wary of communications around recent orders, as these could be fraudulent. Malicious actors may seek to gain more data through targeted attacks using the information stolen.鈥
鈥淭he cyber incident is a stark reminder that no organisation is completely immune from cyber threats, no matter their size or sector. It serves as a call to action for companies to reassess their proactive cyber security strategies and incident response plans.
鈥淧revention is of course preferable, but should the worst happen, businesses need the ability to react quickly to contain the damage and minimise the impact on customers, no matter the type of data involved in a breach.鈥
Jonathan Dedman, Director at听Cloudhouse
鈥淢&S is the latest retailer to be hit with a cyber security breach that has impacted the ability of its end customers to buy goods. In the last 12 months, we have seen large retail companies and high street banks all hit with issues affecting their ability to transact with their customers, which resulted in unhappy customers and damaged reputations.
“With the increasing threat of bad actors, organisations need to be prepared for breaches and outages and have plans in place to restore service as quickly as possible. Operational resilience regulations, such as the Cyber Security and Resilience Bill and EU DORA, are helping the industry to focus on ensuring key financial services structures and key national infrastructure are mandated to build resilience and protection into their operations.
“Organisations like M&S need to apply similar focus to its operations and build as much resilience as practical into its infrastructure and processes.
“Cyber threats will only become more prevalent and complex, so organisations need to be prepared to handle attacks and ensure that their critical suppliers are also prepared.鈥
Rebecca Moody, Head of Data Research at听Comparitech
听
鈥淲hile this incident hasn’t been confirmed as a ransomware attack, it does bear the hallmarks of one with systems being taken offline. M&S was听quick to confirm this as a cybersecurity incident, but we now need further information on the type of attack and whether or not data has been impacted, so customers can be prepared.
“So far this year, we’ve tracked 11 confirmed attacks on retailers听around听the world. This follows a consistent uptick in attacks from 2022 to 2024, too (48 attacks in 2022, 65 in 2023, and 74 in 2024). Across these attacks, we’ve noted an average ransom of $4.8 million. The sector has also faced significant data breaches as a result of these attacks with nearly 61 million records breached from 2022 to present.
“This highlights the dominant threat ransomware presents to retailers, as these attacks have the ability to not only cause widespread disruption (as we’re seeing with M&S) but ongoing consequences when data is breached.鈥
James Hadley, Founder and Chief Innovation Officer at Immersive
“Data breaches like the one M&S experienced are not unique. While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses’ perception of their cyber resilience may not align with their actual capabilities.
“No matter how big or small, breaches have the potential to damage an organization’s bottom line, making frequent cyber drills essential to limiting their impact. As the threat landscape continues to evolve, offering realistic crisis simulations is necessary to instil confidence in business leaders and give them the proof they need to better understand their organisation’s cyber capabilities and shortcomings.
听“In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, check-the-box awareness is no longer enough. Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses’ most sensitive data remains secure.”
James Lei, Chief Operating Officer at Sparrow
“The recent M&S outage shows just how vulnerable large retailers can be to cyberattacks – and how disruptive these incidents are when they hit payment systems. Shoppers couldn鈥檛 use contactless in-store, click-and-collect was suspended, and online orders were delayed. Even if customer data wasn鈥檛 compromised, the business impact is significant. It鈥檚 not just lost sales – it鈥檚 trust, reputation, and confidence that take a hit too.
“Some retailers are taking cybersecurity seriously, but many are still reacting rather than preparing. Regular audits and patching are basic hygiene. What鈥檚 needed is a more proactive mindset: ongoing threat monitoring, rehearsed incident response plans, and clear accountability from the board down. Cybersecurity can’t sit in a silo – it has to be baked into operations, especially in environments where digital and physical systems are tightly linked.
“Retailers also need to test for weaknesses more often. Red team simulations, stress testing payment systems, and checking third-party risks aren鈥檛 nice-to-haves – they鈥檙e essentials. Cybersecurity is no longer just about protecting data. It鈥檚 about keeping your business running when things go wrong. What we鈥檙e seeing now is a reminder: it鈥檚 not a question of if a cyberattack will hit, but when – and how ready you鈥檒l be when it does.”
