This is not just any 'cyber incident' … this is an M&S 'cyber incident'
- Reference: 1745338029
- News link: https://www.theregister.co.uk/2025/04/22/marks_spencer_cyber_incident/
- Source link:
Not included in the [1]LSE notification were details about when the incident took place or what kind of incident it is suspected to be, but an email to customers, seen by The Register , said Click & Collect orders were affected.
"Importantly, our stores remain open, and our website and app are operating as normal," the letter from CEO Stuart Machin reads. "There is no need for you to take any action at this time and if the situation changes, we will let you know. There may be some limited delays to your click and collect order, which we are working hard to resolve."
[2]
The Register asked M&S for additional details but it didn't immediately respond.
[3]Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine
[4]Pharmacist accused of using webcams to spy on women in intimate moments at work, home
[5]Oracle says its cloud was in fact compromised
[6]Toronto Zoo ransomware crooks snatch decades of visitor data
The retailer told the LSE that "minor, temporary changes" were made to its store operations, without revealing what they were, to protect customers and the business.
In keeping with the usual format of cyberattack disclosures, M&S said it had informed the [7]National Cyber Security Centre and [8]Information Commissioner's Office , and drafted outside experts to help manage the case. It did not mention payment information.
[9]
"Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate."
Multiple social media users reported issues as far back as Saturday via X, ranging from returns being unavailable to Click & Collect orders being in store, but staff were unable to hand them over to shoppers due to technical difficulties. ®
Get our [10]Tech Resources
[1] https://www.londonstockexchange.com/news-article/MKS/cyber-incident-update/16999905
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAgRjTQbt4g4drLco6-WKwAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/04/16/law_firm_ico_fine/
[4] https://www.theregister.com/2025/04/09/pharmacist_accused_of_cyber_voyeurism/
[5] https://www.theregister.com/2025/04/08/oracle_cloud_compromised/
[6] https://www.theregister.com/2025/03/06/toronto_zoo_ransomware/
[7] https://www.theregister.com/2025/03/26/ncsc_influencers_2fa/
[8] https://www.theregister.com/2025/04/08/ico_recruitment_drive/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjTQbt4g4drLco6-WKwAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Customer trust is important
"Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate."
Or.. we don't give a damn about you suckers (customers) and will give you, maximum, 5 years credit monitoring. And if the situation changes, we will say almost nothing, as our lawyers told us to do so.
Orders being in store, but staff were unable to hand them over
This is not a technical issue, it's an M&S lack of preparedness issue.
I've heard that contactless is offline in some stores too.
+1 for this since yesterday, a member of staff in my local M&S was posted to advise all shoppers entering that card payments were chip and pin only.
I bought some goods instore and the chip and pin payment was very slow to authorise, and also hasn't come off my available balance yet, or posted to my account, which probably makes me think they're being posted offline and they yanked the live data connection when they knew there was an issue. Hence the need for C&P and the fact it's very slow. probably some sort of risk management kicking in before allowing an offline auth.
"This is not just any 'cyber incident' … this is an M&S 'cyber incident'"
M&S Marketing are gonna be pissed at you lot for that!
Priceless though :)
Priceless
You had better keep that comment handy for when a certain credit card processor gets cracked.
“having your data sold on the dark web. Priceless. For everything else there is …"
According to the BBC, reports of gift cards not working too. Which is great as I have one to spend.
The article title is low hanging fruit, but still amusing :-)
Click & Collect
As in: Click a Link, Collect Malware.