London: Marks & Spencer (M&S) has halted all online orders after a major cyber-attack crippled its digital operations, disrupting shopping services, angering customers, and raising new questions about cybersecurity resilience in the retail sector.
The British retailer confirmed earlier this week that it was dealing with an ongoing “cyber incident” and announced on Friday that it had suspended all orders across its website and mobile apps.
Customers placing orders for food deliveries, clothing, and home goods have been promised full refunds.
Despite physical stores remaining open, many customers reported widespread difficulties using contactless payments, gift cards, and Click-collect services. The company admitted that gift cards, e-gift cards, and credit receipts were still unusable in-store or online.
However, some shoppers criticized M&S for poor communication, complaining that they had been misinformed about the resolution of payment issues.
An update from M&S pic.twitter.com/PSbIGHJtMY
— M&S (@marksandspencer) April 25, 2025
M&S reported the cyber-attack to the National Cyber Security Centre (NCSC) and the National Crime Agency. Britain’s Information Commissioner’s Office confirmed that it is “assessing the information provided” to determine next steps.
While the exact nature of the cyber incident remains unclear, experts say the fallout could be financially significant.
The attack comes amid a wave of digital disruptions affecting major UK companies. Retailer Morrisons and several leading banks, including Barclays and Lloyds, have suffered from major IT outages and cyber-attacks over the past year, highlighting the growing vulnerability of critical digital infrastructure.
M&S has not given a timeline for when online services will resume but said it is working urgently with leading cybersecurity firms to restore its systems fully.
