Contactless payments and click-and-collect at Marks and Spencer (M&S) remain unavailable 72 hours after a cyber security incident at the retailer forced it to take the services offline.
Further details of the incident, which began on Monday 21 April – although a separate issue had dogged contactless payments earlier in the Easter weekend – remain unavailable, but M&S has enlisted third-party cyber forensics, as well as working alongside the National Cyber Security Centre (NCSC), to establish the facts.
In a further update published to its website late on 23 April, M&S said that in the course of its incident management activities, it continued to be necessary to alter some of its operations to preserve the security of both its customers, and the wider business.
“We have made the proactive decision to move some of our processes offline to protect our colleagues, partners, suppliers and our business,” said a spokesperson. “Our stores remain open and customers can continue to shop on our website and our app.
“However, we are not currently processing contactless payments, we have paused the collection of click-and-collect orders in stores, and there may be some delays to online order delivery times. We are incredibly grateful for the understanding and support that our customers, colleagues, partners and suppliers have shown.
“We are working hard to restore our services and minimise disruption and are being supported by industry-leading experts. We will continue to update as appropriate as we work to resolve these issues.”
Fraud may become an issue
M&S has already won some praise from cyber security professionals for playing a relatively straight bat when it comes to its incident disclosure and customer messaging.
However, as it has still been unable to confirm the precise nature of the cyber attack – a set of circumstances that inevitably leads to speculation about ransomware – customers may still be concerned about whether or not their financial and other personal data has been compromised.
For now, M&S is maintaining the line that there is no reason for consumers to take action. However, according to McAfee EMEA head Vonny Gamot, there are still some steps it might be wise to take.
“First, it’s important to know that high-profile attacks like this provide fresh opportunities for scammers,” she said. “Unfortunately, fraudsters looking to capitalise on the situation will launch further rounds of phishing attacks, usually via email or text, that direct people to bogus sites designed to steal sensitive information.
“Whether it’s an email requesting an alternate payment method due to missed transactions or a text asking you to reset your login details, it’s always wise to keep a cautious eye open.”
Fraudsters and scammers will frequently play on emotions by creating a sense of urgency in their messaging in an attempt to get potential victims to let their guard down.
Messages exploiting the M&S incident may, for example, imply that your data or money have been stolen and urge you to click on links to secure your accounts. If in doubt, said Gamot, best practice is to stop and question any unexpected or unsolicited contacts relating to the incident, and verify them with M&S.
Customers may also wish to update their passwords and keep an eye on their bank and credit card accounts. If any changes appear that you did not action, these need to be reported, and if you believe your data may have been taken, place a fraud alert on your credit cards to take advantage of additional scrutiny.
