Marks & Spencer halts online orders and issues refunds after a cyber attack disrupts digital services, impacting gift cards, Click & Collect, and customer payments, while stores remain open.

Marks & Spencer (M&S) has temporarily suspended all online orders following a cyber attack that has disrupted its digital operations and impacted customer transactions. The British retail giant confirmed the “cyber incident” earlier this week after customers reported technical issues across its online platforms.

Initially, problems were confined to areas such as contactless payments, Click & Collect, and the use of gift cards. However, the situation escalated, prompting M&S to stop online orders altogether—including food deliveries, clothing purchases, and other e-commerce services. Customers who placed orders on Friday are now being issued refunds.

In a post shared on X (formerly Twitter), M&S apologized for the disruption and assured customers that it is working diligently with “leading cyber experts” to restore its website and app services. “We are truly sorry for this inconvenience,” the company said. “Our experienced team is working extremely hard to restart online and app shopping.”

Despite the online outage, M&S emphasized that its physical stores remain open and fully operational. Yet issues related to gift cards and digital receipts continue to affect some in-store purchases, leaving many customers frustrated.

Customer Frustration and Praise

The situation has sparked mixed reactions among customers. Several took to social media to vent their frustration over the retailer’s communication throughout the incident. One customer, sharing their experience on X, said it was the fourth consecutive day they had tried unsuccessfully to use an M&S gift card, despite assurances the issue had been resolved.

“I was told yesterday evening that the problem was sorted, but when I went to the store today, I was sent away again,” they wrote.

At the same time, others praised M&S staff for their professionalism and patience under difficult circumstances. Social media users urged fellow customers not to take their frustrations out on store employees, recognizing the frontline workers’ efforts to manage a situation beyond their control.

Uncertain Impact on Orders and Returns

The disruption has raised ongoing questions about the status of existing orders, returns, and refunds. M&S has assured customers that if they have received a collection notification, they can still pick up their orders in-store. “We’re holding all parcels in store until further notice, so there’s no risk of it being sent back,” the company clarified.

Nevertheless, confusion lingers for those awaiting refunds or trying to process returns, as the full impact of the cyber attack continues to unfold.

The retailer informed the Information Commissioner’s Office (ICO) about the incident and has also engaged with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) for support. A spokesperson for the ICO told the BBC that M&S is currently “assessing the information provided.”

In a statement to investors on Friday, M&S emphasized that its decision to pause online services was a part of its “proactive management” approach to the situation. It reiterated that restoring services remains a top priority.

Financial and Operational Fallout

The cyber attack has already had a noticeable impact on M&S’s financial performance. Following the announcement, the company’s shares initially fell by 5% before recovering slightly.

Cybersecurity experts warn that the fallout could have a deeper, long-term effect. Nathaniel Jones, vice-president of security and AI strategy at Darktrace, noted that the decision to halt online operations underscores “the cascading impact these attacks can have on revenue streams.”

William Wright, of cybersecurity firm Closed Door Security, highlighted that online sales account for nearly a quarter of M&S’s total revenue, making the online outage a significant blow. “No matter how long this pause is put in place, it will hurt M&S financially,” he said.

M&S is not alone in grappling with cyber vulnerabilities. The incident follows major disruptions at other UK brands, such as supermarket chain Morrisons and several banks, signaling a worrying trend of increased cyber threats against major institutions.

Meanwhile, online grocer Ocado, which operates separately but sells M&S food through its platform, confirmed it remains unaffected by the cyber attack.

As M&S works to restore its digital operations, the incident serves as a stark reminder of the fragility of online retail infrastructure in an era where cyber resilience is becoming more critical than ever.