Early this morning, M&S finally issued a public update. In a brief message shared on its website and social media, the retailer confirmed it was dealing with a “cyber incident” that had disrupted parts of its digital systems.
We’re truly sorry for the inconvenience. Our experienced team—supported by leading cyber experts—is working extremely hard to restart online and app shopping.
– Official M&S statement
While the language was cautious, carefully avoiding terms like “ransomware” or “attack,” the message was clear: this wasn’t a technical glitch. It was an intrusion.
What Was Working—And What Wasn’t
By this point, the scale of the disruption has gone viral. Online orders for food, clothing, homeware, and gifts were completely frozen. The M&S app either wouldn’t load or crash during checkout.
Click & Collect orders were stuck. Even for customers who’d already received pick-up confirmations. Gift cards, Sparks loyalty points, and digital receipts were all inaccessible.
Some stores were still struggling with contactless payments, although chip-and-pin had mostly come back online.
Even warehouse operations were feeling the pressure, with staff reportedly having to run order-tracking and distribution systems manually—or not at all.
The public reaction to M&S’s confirmation was a mix of relief, frustration, and understanding. On one hand, customers finally had an answer. On the other hand, they were now faced with the reality that their personal data might be compromised, and no one yet knew how bad it was.
On X, one customer wrote:
Glad you finally said something. But I’ve had £100 stuck on a gift card for days and no answers. This isn’t good enough from a company like M&S.
Others were more empathetic:
Cyberattacks are a nightmare. Don’t take it out on the staff—they’re doing their best.
Now that the report on the possible breach has been made public, M&S has entered a critical new phase of its response. External experts were brought in to isolate affected systems and trace the attacker’s movements.
The company formally notified the Information Commissioner’s Office (ICO) and began working with the National Cyber Security Centre (NCSC). Police got involved too, with the National Crime Agency coordinating the investigation.
Inside M&S, a major incident command centre was set up, bringing together IT, legal, and PR teams working around the clock. An internal source close to the response described the atmosphere as “controlled chaos—triage at scale.”
Although markets had remained relatively stable early in the week, M&S shares began to feel the pressure once the cyberattack was confirmed. By late afternoon, the company’s stock dipped nearly 5%, wiping hundreds of millions off its market cap.
Investors were alarmed by the scope of the shutdown, particularly the complete freeze on online shopping—a vital revenue stream that accounts for roughly 25% of M&S’s sales.
With the breach now public and systems still offline, M&S faces a tough road ahead. How long would it take to get online shopping back? Was customer data at risk of being leaked or held for ransom? And could stores handle the pressure while digital operations were stuck? These questions are yet to be answered.
