Marks & Spencer has confirmed that its services will be disrupted until July, following a cyber attack that took place last month.
Customers have been unable to order products from M&S online for three weeks.
The news comes after an announcement last week that some customers’ personal data had been accessed in the recent attack on the company.
The retailer admitted that “personal customer data” had been stolen by the gang behind the attack. However, the company said this did not include “useable payment or card details” or passwords.
But M&S said that for “extra peace of mind” customers will be prompted to change their passwords next time they log in to their online accounts.
The company, which employs about 64,000 people and operates more than 1,400 stores globally, is continuing to investigate the breach.
Here’s what we know so far about the M&S cyber attack.
What happened in the M&S cyber attack?
Marks & Spencer first revealed the cyber attack on Monday, April 21, after customers reported payment issues and delays receiving online orders.
In an email to shoppers, M&S chief executive Stuart Machin wrote: “Over the last few days, M&S has been managing a cyber incident. To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.
“Importantly, our stores remain open, and our website and app are operating as normal. There is no need for you to take any action at this time, and if the situation changes, we will let you know.”
However, the BBC reported that some customers were frustrated by “disappointing” communication from the retailer.
As a result of the disruption, M&S has asked about 200 agency workers at its main distribution centre to stay home, due to a slowdown in order processing.
Ciaran Martin, the founding chief executive of the National Cyber Security Centre, told the BBC that the incident had "serious" consequences for M&S.
"This is a pretty bad episode of ransomware," he said.
"It is a highly disruptive event and a very difficult one for them to deal with."
"I would suggest there is a high level of confidence this is a ransomware-style event," Dan Card, cyber expert at BCS, the chartered institute for IT, told the BBC.
"I describe these as like a digital bomb has gone off. So recovering from them is often both technically and logistically challenging… the victim organisation is likely going to be working around the clock to respond and recover."
Ransomware is a type of malicious software that locks or encrypts a victim's data and demands payment, usually in cryptocurrency, to restore access.
Who was behind the M&S cyber attack?
The hacking group Scattered Spider is believed to be behind the cyber attack on Marks & Spencer, according to tech news outlet BleepingComputer.
It said the group was suspected of breaching M&S systems as early as February 2025, allegedly stealing the Windows domain's NTDS.dit file—a sensitive database containing user credentials. They are also believed to have used ransomware to encrypt parts of M&S's infrastructure.
Also called UNC3944, Octo Tempest or Muddled Libra, Scattered Spider is reportedly known for employing advanced social engineering tactics, including phishing and multi-factor authentication (MFA) fatigue attacks, to infiltrate large organisations.
Phishing tricks users into revealing sensitive information, while MFA fatigue involves bombarding users with repeated login requests in hopes they’ll approve one out of frustration or confusion.
"Scattered Spider is one of the most dangerous and active hacking groups we are monitoring," Graeme Stewart, the head of public sector at security company Check Point, told Sky News.
"Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.”
BleepingComputer reported that DragonForce ransomware was deployed to VMware ESXi hosts on April 24 to encrypt virtual machines. The group reportedly gained access to M&S systems and remained undetected for weeks.
Scattered Spider reportedly comprises young hackers, some as young as 16, who frequent hacker forums, Telegram channels, and Discord servers. Some members are also believed to be linked to the "Com”, a loosely affiliated community known for cyber and real-world criminal activity that has drawn media attention.
Following the breach, M&S enlisted CrowdStrike, Microsoft, and Fenix24 cybersecurity experts to help investigate and contain the incident. The company declined to provide BleepingComputer with additional details about the attack.
What impact has the cyber attack had on M&S?
Online orders were suspended in the UK and Ireland as a precaution, while there are “pockets of limited availability” across M&S stores. It has also been reported that certain stores, such as Liverpool, are being forced to reduce food items on mass, amid fears the stores are not as busy as usual.
"Since the incident, food sales have been impacted by reduced availability, although this is already improving,” M&S said.
"We have also incurred additional waste and logistics costs, due to the need to operate manual processes, impacting profit in the first quarter.
"In Fashion, Home & Beauty, online sales and trading profit have been heavily impacted by the necessary decision to pause online shopping, however stores have remained resilient.”
M&S estimates that it will lose approximately £300 million as a result of the cyber attack.
"As a team, we have worked around the clock with suppliers and partners to contain the incident and stabilise operations, taking proactive measures to minimise the disruption for customers,” the retailer said.
"We are focused on recovery, restoring our systems, operations and customer proposition over the rest of the first half, with the aim of exiting this period a much stronger business.”
Nayna McIntosh, a former M&S executive and founder of Hope Fashion, said the decision to halt online orders was comparable to “cutting off a limb.”
Susannah Streeter, head of money and markets at Hargreaves Lansdown, said the pause on online orders will be “hugely damaging for sales”.
“Fashion sales are likely to take a big hit particularly as the attack has come during the spell of warm weather when summer ranges would ordinarily be piling up in virtual baskets,” she added. “While other retailers have not been immune to IT breaches, the depth of Marks and Spencer’s problems in resolving the issue are worrying, and it may take some time to win back some warier shoppers.”
Shares fell 2.2 per cent to 377.3p at the end of April, with more than £700 million wiped from the company’s market value since the cyber attack.
When will I be able to order online from M&S again?
It is not yet known exactly when M&S will be able to take online orders again.
However, the company revealed that it expects disruption up until late July.
"We expect online disruption to continue throughout June and into July as we restart, then ramp up operations," M&S said.
