Marks & Spencer has halted all orders through its website and apps as the retailer continues to battle the fallout from a cyber-attack that began on Monday.
The company apologised to shoppers for “this inconvenience” and paused digital orders “as part of our proactive management of a cyber incident”.
“Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping,” it said.
The retailer said shoppers could continue to browse online and shop in its physical stores using cash or card.
The website closure comes after several days of problems in stores where contactless payments and the collection of online orders were hit from Monday. Contactless payments were restarted late on Thursday.
Customers who have already made an online order can collect it in stores once they have received notification but new orders cannot be placed. M&S said customers did not need to take any action, indicating that their details had not been accessed.
Shares in the retailer fell by as much as 4% on Friday after the announcement, before easing to close 2.3% down, making it one of the biggest fallers in the FTSE 100.
Just over a third of M&S’s clothing and homeware sales are made online and the forced stop in orders comes before a busy weekend period and expected heatwave that is likely to spur demand for clothing and kit for outdoor entertaining.
The cyber incident began on Monday, affecting contactless payments and click-and-collect orders in stores across the UK. However, there was a separate technical problem on the Saturday of the busy Easter weekend that affected only contactless payments.
M&S has hired cybersecurity experts to help investigate and manage the problem and said it was taking actions to further protect the network to ensure it could continue serving shoppers.
Security experts warned shoppers to watch out for scammers capitalising on the high profile incident.
Nicholas Found, the head of commercial content at Retail Economics, said: “The cyber-attack on Marks & Spencer is a stark reminder that no retailer, no matter how established or digitally sophisticated, is immune from the escalating threat of cybercrime.
after newsletter promotion
“While M&S bears the brunt of this particular attack, this is far from an isolated incident. Cyber-attacks are a systemic risk looming over the entire retail sector.”
The attack on M&S follows a number of similar incidents in recent years. In September, Transport for London was forced to close down many online services after a cyber-attack.
In 2023, Royal Mail was forced to ask customers to stop sending parcels and letters to overseas destinations after a cyber attack caused “severe service disruption” to international mail, and WH Smith was hit by an attack in which company data was accessed illegally, including the personal details of current and former employees. That came less than a year after a cyber-attack on WH Smith’s Funky Pigeon website forced it to stop taking orders for about a week.
In 2022, the Guardian asked most of its staff to work from home after it was hit by a ransomware attack in which the personal data of UK staff members was accessed.
According to a government report in 2022, two in five UK businesses had reported cybersecurity breaches or attacks in the previous 12 months.
