What: M&S suspends online orders across UK, Ireland, and international websites following a cyber incident that affected contactless payments and click-and-collect services.

Why it is important: The proactive suspension of digital operations by a major retailer sets a precedent for crisis management in retail cybersecurity, emphasizing transparency and preventive measures over maintaining business continuity at all costs.

Marks & Spencer has taken the decisive step of suspending online orders across its UK, Ireland, and international websites and apps in response to a cyber incident detected on April 21. This proactive measure extends beyond the initial impact on contactless payments and click-and-collect order processing, demonstrating the company's comprehensive approach to security management. While customers can still browse products online, purchasing functionality has been temporarily disabled as part of the retailer's strategic response to the situation. Physical stores continue to operate normally, highlighting the company's ability to maintain core operations while addressing digital vulnerabilities. The incident, which has already been reported to relevant data protection authorities and the National Cyber Security Centre, represents a significant shift in how major retailers handle cybersecurity threats, with M&S maintaining transparent communication while prioritising security over immediate commercial interests. This approach marks a notable change from their earlier assurances about normal website operations, reflecting the evolving nature of cyber incident management in retail.

IADS Notes: M&S's cyber incident and subsequent online order suspension reflects a growing pattern of digital vulnerabilities in retail. This development comes amid concerning industry trends, as April 2025 research revealed ransomware attacks account for 30% of retail security incidents, with average losses reaching USD 1.4 million per attack. The retailer's proactive approach to crisis management, including swift notification to authorities and transparent customer communication, aligns with evolving best practices, particularly following March 2025's unprecedented USD 5.4 billion industry loss from a single security update failure. The incident's impact on multiple channels while maintaining physical store operations mirrors similar challenges faced during the Blue Yonder attack in December 2024, which affected over 3,000 retailers' omnichannel capabilities. M&S's immediate notification to data protection authorities is particularly significant given recent findings that 86% of retailers use third-party tools, yet only 13% fully understand what data these systems collect, highlighting the complex balance between digital innovation and security compliance in modern retail.

M&S pauses online orders following a cyber incident