Marks and Spencer shoppers have been greeted with empty shelves after a cyber attack paralysed the store’s payment systems.
Online orders have been paused on the M&S website and app since Friday, following issues with contactless pay and Click & collect over Easter.
Shares in the high street fixture have plummeted since the attack, and now it seems the stock has also taken a hit.
Some M&S supermarkets display signs on food shelves reading: ‘Please bear with us while we fix some technical issues affecting product availability.’
Fresh fruit and even Colin the Caterpillar cakes are in short supply in some supermarkets, from central London to Aberdeen, Scotland.
While shoppers have also spotted M&S hot food counters being ‘temporarily closed’.
Mark O’Reilly, a radio presenter, shared photos of empty shelves lining the M&S in Foyleside, a shopping centre in Derry, Northern Ireland, yesterday.
‘Now this is becoming a common issue with this store every time I visit,’ he said.
Another shopper added: ‘I checked the M&S Aberdeen status online and drew cash as a precaution.
‘I then drove one hour, paid for parking, and found an empty M&S on Sunday, 27/4. Staff say the cyber attack is the cause.
‘I appreciate the ongoing issues but M&S need to keep customers better informed.’
An M&S spokesperson said: ‘As part of our proactive management of the incident, we took a decision to take some of our systems temporarily offline.
‘As a result, we currently have pockets of limited availability in some stores.
‘We are working hard to get availability back to normal across the estate.’
Although issues with contactless pay, Click & Collect and gift cards have been resolved, customers can still not place online orders.
M&S has also suspended deliveries on some items to Ocado, an online grocery company
Each post shared M&S’ Instagram account is now flooded with comments on the ongoing disruption, with one mum writing that her daughter, who works for the business, ‘has returned home in tears due to the abuse by a handful of customers’.
Responding to another woman asking what had happened to her order, a customer service rep warned that ‘any orders placed after Wednesday April 23 – for home delivery or Click & Collect – will not be processed and customers will receive a full refund’.
In their latest official update to customers, on Friday, Marks said: ‘As part of our proactive management of a cyber incident, we have made the decision to pause taking orders via our M&S.com websites and apps. Our product range remains available to browse online. We are truly sorry for this inconvenience. Our stores are open to welcome customers.
‘We informed customers on Tuesday that there was no need for them to take any action. That remains the case, and if the situation changes we will let them know.
‘Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping.
‘We are incredibly grateful to our customers, colleagues and partners for their understanding and support.’
The business has not revealed the nature of the ‘cyber incident’,
However, Nathaniel Jones, VP of Security & AI Strategy at cybersecurity firm Darktrace, said: ‘M&S taking systems offline suggests this is likely a ransomware-related event.
‘It demonstrates how quickly cyber incidents can cripple retail operations across both digital and physical channels and the suspension of online orders shows the cascading impact these attacks can have on revenue streams.
‘Retailers are increasingly targeted because they combine valuable customer data with complex, interconnected systems.
‘M&S should be in good hands with support from both (the National Cyber Security Centre) NCSC and (the National Crime Agency) NCA. Their quick action to isolate affected systems shows appropriate crisis management, but this incident highlights why cybersecurity must be a fundamental business priority, not just an IT concern.’
Problems began a week ago, when shoppers were unable to use contactless payment, including Apple Pay, in stores.
While this was eventually fixed, the company then suspended online orders, with no date given for when they are expected to be running again.
Marks and Spencer reported the issues to the NCSC and hired cybersecurity experts to investigate further.
This article was first published on April 28, 2025.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.