It’s the second day, April 23, and customers returned to M&S (Marks & Spencer) stores hoping the glitches from the day before had been resolved.
Instead, many customers found that contactless payments remained unavailable, digital receipts were not being issued, and gift cards had also become unusable.
Online shoppers, meanwhile, noticed unusual behaviour; the website was slow to respond, app login attempts occasionally failed, and Sparks reward points were not displaying correctly.
Yet M&S issued no public update. No tweets, no banners on the website, no emails. It was business-as-usual. Sources close to the company have since revealed that Marks & Spencer activated its full cyber incident protocol.
The response involved shutting down non-essential internal systems to prevent potential lateral movement by attackers and isolating server clusters that appeared to have been compromised.
External digital forensics teams, both from within the UK and abroad, were called in to assist with the investigation.
Along with all the protocols, the company initiated manual backups of financial, inventory, and user data in an effort to prevent total data loss.
Employees said it felt like something out of a tech “panic room.” Messaging apps were stripped down to the basics, meeting rooms turned into crisis centers, and calls with cybersecurity experts ran nonstop.
One IT worker later said, “It was the most intense 24 hours of my career. We knew this wasn’t just a bug—it was a breach.”
What Customers Were Saying
With no word from M&S, speculation ran wild on social media. Was it a technical failure? A ransomware attack? A failed software update? Some assumed it was just another post-Easter tech hiccup—but those who’d worked in IT or retail knew better.
It’s unusual for a company of this size to go totally silent, one retail analyst tweeted. “That usually means legal teams are involved and systems are being quarantined.”
Why No Statement Yet?
In high-stakes cyberattacks, silence doesn’t always mean incompetence—it’s often part of the strategy. It’s the second day, M&S had likely already involved law enforcement (as was later confirmed), alerted the Information Commissioner’s Office (ICO) about a possible data breach, and started tracking the attacker’s digital trail to understand how far the breach had gone.
Issuing a public statement too early—especially without knowing what was taken, or how much was at risk could have created more confusion, or worse, tipped off the attackers.
