Over the past few days, Marks and Spencer’s (M&S) has been hit by a cyber incident that affected its contactless payments and online ordering systems.
The issue started a few days ago, where customers on X were complaining about not being able to pick up online orders. This then became a wider issue, as customers were no longer able to pay with contactless cards. This left many people having to abandon their shopping and became a wider revenue threat for M&S.
According to UK Finance, in 2023, 93.4% of in-store card transactions in the UK under £100 were contactless. For a national retailer, the inability to accept these payments can have huge effects on the business.
In a note to all customers, the CEO announced that customers did not have to take any issue, and that the supermarket was taking steps to resolve the issue. However, the incident is not the first of its kind in the UK and raises the question: Do retailers take cybersecurity seriously enough?
Cyber Security Incidents For UK Retailers
The incident at M&S is disruptive, but it’s not unique. Over the years, a handful of UK high street names have had their own cybersecurity incidents, some of these include:
JD Sports: In 2023, JD Sports suffered a cyberattack that leaked 10m customers data, including names, delivery addresses and order history.
WH Smith: WH Smith was hit by an attack in 2013, where hackers accessed the personal details of their current and former staff.
Zellis: In June 2023, the company looking after British Airways’, BBC and Boots’ payroll (Zellis) announced it had suffered a cyber attack, leaking important details of all employees. This left staff vulnerable to fraud.
British Airways: Only a few years before the Zellis incident, in 2018, hackers breached British Airways’ website and app, stealing the personal and financial information of around 400,000 people. This led to British Airways paying a £20m fine for not protecting the details of their customers.
So we know that businesses are at risk of cyber attacks – but the real question is – what more can they do to prevent it?
To find out, we asked the experts for their thoughts on the M&S incident and advice to other retailers. Here’s what they had to say…
Our Experts
- Dennis Martin, Crisis Management and Business Resilience Specialist at Axians UK
- Jamie Moles, Senior Technical Manager at ExtraHop
- Rob Cottrill, Technology Director at ANS
- Jonathan Dedman, Director at Cloudhouse
- Rebecca Moody, Head of Data Research at Comparitech
- James Hadley, Founder and Chief Innovation Officer at Immersive
- James Lei, Chief Operating Officer at Sparrow
Dennis Martin, Crisis Management and Business Resilience Specialist at Axians UK
“Incidents like this serve as a reminder that cybersecurity is no longer just an IT concern, but a core operational risk. M&S’s swift action and transparency in working with the NCSC is exactly the kind of leadership we need to see more of across the industry.
“What’s crucial now is learning from this, ensuring systems and operational processes are resilient, communications are clear and contingency plans are in place and tested regularly. As cyber threats become more sophisticated, it’s not about eliminating risk entirely, but about responding effectively and maintaining customer trust when the unexpected happens.”
Jamie Moles, Senior Technical Manager at ExtraHop
“While we don’t yet have the full details of the M&S cyber incident, the company’s dedication to protecting the network highlights the critical importance of a modern network security strategy.
“Incidents like this demonstrate how essential it is to have real-time visibility, threat detection and rapid response capabilities across all digital infrastructure. Network visibility can play a pivotal role, helping organisations detect anomalies early, isolate potential threats and maintain service continuity.
“In today’s environment of increasingly sophisticated attacks, proactive network security isn’t just a technical requirement, it’s a core part of exposing risks and maintaining operational resilience.”
Rob Cottrill, Technology Director at ANS
“While we do not yet know the nature of the cyber incident, an immediate priority for impacted Dell customers will be to be wary of communications around recent orders, as these could be fraudulent. Malicious actors may seek to gain more data through targeted attacks using the information stolen.”
“The cyber incident is a stark reminder that no organisation is completely immune from cyber threats, no matter their size or sector. It serves as a call to action for companies to reassess their proactive cyber security strategies and incident response plans.
“Prevention is of course preferable, but should the worst happen, businesses need the ability to react quickly to contain the damage and minimise the impact on customers, no matter the type of data involved in a breach.”
Jonathan Dedman, Director at Cloudhouse
“M&S is the latest retailer to be hit with a cyber security breach that has impacted the ability of its end customers to buy goods. In the last 12 months, we have seen large retail companies and high street banks all hit with issues affecting their ability to transact with their customers, which resulted in unhappy customers and damaged reputations.
“With the increasing threat of bad actors, organisations need to be prepared for breaches and outages and have plans in place to restore service as quickly as possible. Operational resilience regulations, such as the Cyber Security and Resilience Bill and EU DORA, are helping the industry to focus on ensuring key financial services structures and key national infrastructure are mandated to build resilience and protection into their operations.
“Organisations like M&S need to apply similar focus to its operations and build as much resilience as practical into its infrastructure and processes.
“Cyber threats will only become more prevalent and complex, so organisations need to be prepared to handle attacks and ensure that their critical suppliers are also prepared.”
Rebecca Moody, Head of Data Research at Comparitech
“While this incident hasn’t been confirmed as a ransomware attack, it does bear the hallmarks of one with systems being taken offline. M&S was quick to confirm this as a cybersecurity incident, but we now need further information on the type of attack and whether or not data has been impacted, so customers can be prepared.
“So far this year, we’ve tracked 11 confirmed attacks on retailers around the world. This follows a consistent uptick in attacks from 2022 to 2024, too (48 attacks in 2022, 65 in 2023, and 74 in 2024). Across these attacks, we’ve noted an average ransom of $4.8 million. The sector has also faced significant data breaches as a result of these attacks with nearly 61 million records breached from 2022 to present.
“This highlights the dominant threat ransomware presents to retailers, as these attacks have the ability to not only cause widespread disruption (as we’re seeing with M&S) but ongoing consequences when data is breached.”
James Hadley, Founder and Chief Innovation Officer at Immersive
“Data breaches like the one M&S experienced are not unique. While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses’ perception of their cyber resilience may not align with their actual capabilities.
“No matter how big or small, breaches have the potential to damage an organization’s bottom line, making frequent cyber drills essential to limiting their impact. As the threat landscape continues to evolve, offering realistic crisis simulations is necessary to instil confidence in business leaders and give them the proof they need to better understand their organisation’s cyber capabilities and shortcomings.
“In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, check-the-box awareness is no longer enough. Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses’ most sensitive data remains secure.”
James Lei, Chief Operating Officer at Sparrow
“The recent M&S outage shows just how vulnerable large retailers can be to cyberattacks – and how disruptive these incidents are when they hit payment systems. Shoppers couldn’t use contactless in-store, click-and-collect was suspended, and online orders were delayed. Even if customer data wasn’t compromised, the business impact is significant. It’s not just lost sales – it’s trust, reputation, and confidence that take a hit too.
“Some retailers are taking cybersecurity seriously, but many are still reacting rather than preparing. Regular audits and patching are basic hygiene. What’s needed is a more proactive mindset: ongoing threat monitoring, rehearsed incident response plans, and clear accountability from the board down. Cybersecurity can’t sit in a silo – it has to be baked into operations, especially in environments where digital and physical systems are tightly linked.
“Retailers also need to test for weaknesses more often. Red team simulations, stress testing payment systems, and checking third-party risks aren’t nice-to-haves – they’re essentials. Cybersecurity is no longer just about protecting data. It’s about keeping your business running when things go wrong. What we’re seeing now is a reminder: it’s not a question of if a cyberattack will hit, but when – and how ready you’ll be when it does.”
