Marks & Spencer has been battling a severe cyber-related IT outage since last Friday, during which its website has been unable to accept clothing and homeware orders. The FTSE 100 retailer has also paused click-and-collect orders, struggled to process contactless card payments in stores and, in some locations, stopped accepting product returns.
On Monday, M&S informed customers that it could not estimate when its online services would be back up and running. Around 200 agency staff at its central distribution hub in Leicestershire were told to stay home amid a sharp drop in order volumes. With online clothing and homeware sales averaging roughly £3.5 million per day (totaling £1.27 billion in 2024).
Since disclosing the incident last Tuesday, M&S’s share price has fallen over 7 per cent, equating to a £678 million reduction in its market capitalisation. The retailer, which reports full-year results on May 21, had posted an adjusted pre-tax profit of £716.4 million for the 2023–24 financial year. Chief Executive Stuart Machin’s turnaround strategy is now under fresh pressure as operational recovery timelines remain uncertain.
Cyber-security specialists suggest the disruption bears the hallmarks of a ransomware attack, where hackers lock systems or steal data in exchange for payment. M&S has declined to confirm the nature of the breach but has reported the incident to the Information Commissioner’s Office and is coordinating with the National Cyber Security Centre. Legal experts note M&S must determine whether its attackers seek a ransom or publicity, and assess the extent of any data theft.
Despite anticipated customer frustration, some analysts believe the incident will inflict limited long-term damage on M&S’s brand. However, they caution that competitors including Next, Zara and online pure-plays are likely to capitalise on disaffected shoppers and lost sales in the near term. M&S’s resilience will hinge on the speed of its IT restoration and its ability to win back customer confidence.
