Marks & Spencer Cyberattack: Why Your Click & Collect Order is Missing and Your Contactless Card is Crying

Well, it’s 2025, and yet again, another household name has been blindsided by a cyber incident. This time it’s everyone's beloved high street institution, Marks & Spencer. Because apparently, even getting your Percy Pigs safely from the shelf to your hands now requires dodging hackers.

Let’s get into it.

What Happened?

Earlier this week, M&S confirmed they're “managing a cyber incident” — which is PR speak for “something went bang, and now we're firefighting.” In a statement to the London Stock Exchange (because nothing screams 'we're on top of this' like telling the bankers first), M&S said:

"We have made some minor, temporary changes to store operations."

Translation?
If you tried to tap your card in-store or collect your online order and it went about as smoothly as a drunk giraffe on ice — now you know why.

Notably, physical stores are still open, and the website and app are fine (ish), but click-and-collect orders have been delayed, and contactless payments have been a hot mess.

Oh, and they also casually mentioned “a separate tech problem on Saturday affecting contactless payments”—not the same as the cyber incident, but equally annoying.

So that's two strikes in one weekend. Lovely.

Customer Chaos

Unsurprisingly, the British public, known for suffering in silence until it really matters (like queue etiquette violations), took to X (formerly Twitter) to vent.

One shopper in Plymouth moaned:

"Could not collect my online purchase today, previous visit could not return an item as tills were down ... please sort out your poor IT situation."

Another chimed in, pointing out that the tills were down for three days running in some locations.
And if there’s one thing the British don’t tolerate, it’s being delayed in their sacred M&S snack runs.

Marks & Spencer's Official Response

Trying their best to be reassuring, M&S’s chief executive Stuart Machin wrote to customers:

"I'm writing to let you know that over the last few days M&S has been managing a cyber incident. To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience."

You’ve got to hand it to them — "small changes" is a hell of a spin when shoppers couldn’t pay properly or pick up orders they’d already paid for.

To their credit, M&S has roped in external cybersecurity experts (no, not the cousin who once formatted their laptop) and has involved the National Cyber Security Centre and the Information Commissioner’s Office — which is pretty standard for anything that could even remotely involve customer data.

Important note:
As of now, they’re insisting there’s no evidence of customer or staff data being stolen.
No action needed from your side — unless you count refreshing your app 32 times trying to see if your knickers order has been processed.

Why It Matters

M&S’s cyber wobble is just the latest in a disturbingly long conga line of attacks hitting UK companies.
We’re talking Royal Mail, WH Smith, Transport for London — basically, if it's a logo you grew up with, it’s either already been hacked or is living on borrowed time.

Let’s not forget: Government data shows that 40% of UK businesses reported a cyber breach or attack within a 12-month window—and that’s only the ones that admit it.

Retail is especially juicy for attackers — loads of payment data flying around, complex logistics systems ripe for disruption, and plenty of public-facing embarrassment when it all goes wrong.

(And let’s be honest: cybersecurity still isn’t seen as sexy enough by too many boardrooms, especially when shiny refurb projects and ad campaigns get the lion’s share of the budget.)

What Happens Next?

M&S has promised to "keep customers updated."

Which is corporate for "we’ll say as little as we can until this dies down."

They’re still pushing ahead with their scheduled full-year results announcement on 21st May 2025 — meaning this mess has landed right before they parade their financials to investors.
Timing: chef's kiss.

Hopefully, the external experts will dig through the chaos, patch up whatever glaring hole let this happen, and give M&S a wake-up call about modern cybersecurity risks.

Because let’s be real — if the place that sells your Victoria sponge and your work trousers can't stay online without getting smacked around by hackers, we've got bigger problems brewing.