Marks & Spencer (M&S) has suspended all online orders as it works to recover from a major cyber attack.

Problems first surfaced over the weekend, and by Tuesday, M&S confirmed it was experiencing a "cyber incident." Since then, the retailer has paused all online and app-based orders — including food deliveries and clothing — and announced it would refund any orders placed last Friday.

Following the news, M&S shares dropped by 5% before making a partial recovery. As of Saturday morning, online services remained suspended.

"We sincerely apologize for this inconvenience," the company posted on X (formerly Twitter). "Our dedicated team, supported by leading cybersecurity experts, is working tirelessly to restore our online and app services. We are truly grateful for the patience and support of our customers, colleagues, and partners."

M&S emphasized that its physical stores continue to operate as normal, despite the disruption online.

Ongoing challenges

Prior to halting online orders, the cyber attack had already caused issues with contactless payments, Click & Collect, and the use of gift cards both online and in stores.

The company responded to customer concerns on social media, explaining that gift cards, e-gift cards, and credit receipts are still unusable for the time being. However, customers who have been notified that their orders are ready for collection can still pick up their items in-store, with parcels being held until further notice to avoid returns.

Frustrations have been mounting among customers. Some criticized the company’s communication, reporting repeated failed attempts to use gift cards in stores after being told the issue was resolved.

Meanwhile, others praised store employees for their professionalism and urged customers to be patient with frontline staff during this challenging period.

Despite efforts to reassure customers, many questions remain about how existing purchases, orders, and returns will be managed.

It’s important to note that Ocado — which sells M&S food online — remains unaffected, as it operates on a separate platform.

Cybersecurity response and investigation

The Information Commissioner's Office confirmed to the BBC that M&S is currently assessing the breach and has informed relevant authorities. The National Cyber Security Centre (NCSC) and the National Crime Agency are also involved in the investigation and support efforts.

In an investor update on Friday, M&S stated that suspending online orders was part of its "proactive management" of the situation. The company reaffirmed that it is working hard, alongside cybersecurity experts, to restore services and minimize disruption to customers.

Experts warn the financial impact could be significant. Nathaniel Jones, vice-president at cybersecurity firm Darktrace, noted that M&S’s decision to stop online sales highlights the "cascading impact" cyber attacks can have across digital and physical operations. William Wright of Closed Door Security added that with nearly a quarter of M&S sales occurring online, even a brief disruption could have a substantial effect on the company's bottom line.

M&S now joins a growing list of major brands that have faced serious digital disruptions recently. Last Christmas, Morrisons battled widespread order cancellations, and earlier this year, major banks like Barclays and Lloyds suffered major outages, affecting millions of customers and businesses. Photo by GianniM, Wikimedia commons.