On the morning of April 22, shoppers across the UK began reporting issues with contactless payments in Marks & Spencer stores. Initially dismissed as isolated technical glitches, the problem quickly turned into something much more concerning.
Customers were told to use chip-and-pin, but even then, some terminals were very slow. Self-checkouts stalled. Some of the stores briefly closed their doors to troubleshoot. By midday, it was clear: something was wrong, and it wasn’t just a glitch.
As contactless payments failed, even for small purchases, staff began reverting to manual stock checks and handwritten records. Gift cards and Sparks loyalty points could not be processed, and digital receipts and order lookups were unavailable at checkouts.
No Official Word—Yet
Despite a growing number of complaints on social media, M&S issued no public statements for much of the day. Staff at certain locations informed customers that the matter was “being looked into,” though no specifics were disclosed regarding the nature or extent of the issue.
The prolonged silence led many customers to take to social media, speculating about the cause of the disruption.
Internally, the situation was far more serious than it appeared. Sources from inside say the company’s IT team first detected erratic behaviour on authentication servers and internal communications platforms at approximately 05:00 BST.
One customer in Leeds said, “I just popped in for lunch, and suddenly no one could pay. The staff were helpful, but it was chaos.”
Why This Wasn’t Just a Payment Issue
While the most visible problems occurred in-store, IT experts say they often point to something deeper.
Cybersecurity analyst William Wright explains:
When POS terminals fail across multiple branches simultaneously—and gift card systems go down too—that usually suggests a back-end issue affecting authentication or transaction validation services. It’s rarely just one component failing.
As more information emerged, it became clear that this was the early stage of a full-scale ransomware attack, likely orchestrated by the group known as Scattered Spider.
The group’s tactic of using social engineering to obtain administrative credentials is believed to have granted them deep access to M&S systems well before the first checkout failure.
The cyberattack had not yet been confirmed, and the company had issued no statement. But for those inside M&S—and those shopping in its stores—it was already becoming a serious issue.
