M&S Grapples with Cyber Disruption as Experts Warn of Widening Security Gaps in UK Retail

Marks & Spencer, the iconic British retailer, is the latest company to fall victim to a disruptive cyber incident that has impacted in-store services across the UK, including contactless payments and order pickups. While the company has reassured customers that no data appears to have been compromised, the operational fallout has sparked renewed concern over the resilience of legacy retail infrastructure in an increasingly hostile threat landscape.

The issue, which first began affecting contactless transactions on Saturday and escalated to online order collections by Monday, forced the company to implement what it called “minor, temporary changes” to in-store operations. In a regulatory filing, M&S confirmed that stores remain open and that its website and app are unaffected. Still, the company apologized for the inconvenience and acknowledged that click-and-collect delays are ongoing.

The retailer emphasized that neither customers nor staff need to take action at this time, but added that it had notified the National Cyber Security Centre and brought in external cybersecurity experts to manage the response and bolster defenses.

“Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate,” the company said in a statement.

But while M&S has moved quickly to contain the disruption, cybersecurity professionals say this is yet another example of the widening disconnect between how companies perceive their cyber readiness and the reality of modern threat exposure.

“Data breaches like the one M&S experienced are not unique,” said James Hadley, Founder and Chief Innovation Officer at Immersive. “While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities.”

Hadley emphasized that even minor incidents can have far-reaching operational and reputational consequences. “No matter how big or small, breaches have the potential to damage an organization's bottom line, making frequent cyber drills essential to limiting their impact,” he said.

The episode joins a growing list of cyber disruptions that have rippled through the UK’s commercial and public sectors in recent years. From the ransomware attack that shuttered The Guardian’s offices in 2022, to the breach that paralyzed Royal Mail’s international deliveries in 2023, the UK's digital infrastructure has repeatedly been exposed as underprepared for sustained or sophisticated cyberattacks.

In the retail sector specifically, WH Smith has suffered multiple incidents—including one targeting its Funky Pigeon platform that forced it offline—and online complaints from M&S customers this week paint a picture of mounting frustration. “Could not collect my online purchase today, previous visit could not return an item as tills were down,” wrote one shopper from Plymouth on X. “Please sort out your poor IT situation.”

The British government’s own data reveals that 39% of UK businesses experienced a cyberattack or breach in the 12 months leading up to its 2022 cybersecurity report. And yet, many organizations still lack robust, organization-wide incident response strategies.

“In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, check-the-box awareness is no longer enough,” Hadley warned. “Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses' most sensitive data remains secure.”

As retailers continue to digitize storefronts and supply chains, cyber risk is no longer confined to the IT department—it’s a board-level concern. For Marks & Spencer, this latest incident may be contained, but the message to the sector is clear: the gap between preparedness and performance is growing, and adversaries are watching.