Being unable to take contactless payments over the busy Easter bank holiday weekend has got to rank pretty highly in the list of retailer nightmare scenarios. But that’s exactly what happened to M&S last weekend, following a “cyber incident” that meant the retailer had to lock down some of its in-store services.
The issue first came to M&S’s attention on Saturday 19 April, when some customers found they were unable collect online orders, pay using contactless methods, use gift cards or return items.
M&S said its technical teams were working to fix the issue, but unfortunately the problem persisted throughout the bank holiday weekend, leaving shoppers in stores – many with trolleys full of food – unable to pay for their purchases. This is 2025, so of course it wasn’t long before shoppers took to social media to voice their outrage and dismay, with national media quick to pick up the story.
But wait! In a refreshing move from Marks & Spencer, the in-store disruption prompted boss Stuart Machin to issue a public apology for the issues on Tuesday, explaining in a post shared across all social channels that the difficulties were because M&S had been “managing a cyber incident” over the past few days.
He said the retailer had been forced to temporarily make “small changes” to store operations “to protect you and our business”.
“There is no need for you to take any action at this time and if the situation changes, we will let you know,” he added, signing off as simply ”Stuart”.
M&S’s human response to a cyber problem
The retailer also immediately updated its investors, posting a clear, unambiguous note to the London Stock Exchange.
As well as emphasising that all stores remained open and both website and app were operating as normal, both messages explained – in clear, audience-appropriate language – that M&S was working with the “best experts” and taking direct action to protect its network while also maintaining customer service.
It also told investors that, at the same time as making the temporary changes to “protect customers and the business”, it had also “reported the incident to the relevant data protection supervisory authorities and the National Cyber Security Centre”.
The retailer has been widely praised for its open and honest approach to dealing with the cyber incident, thanks to its swift, transparent messaging and proactive approach in notifying the relevant authorities and cyber security experts. The lack of defensiveness surrounding the event has been celebrated by security experts and consumer alike, with many celebrating the chain’s upfront approach as a breath of fresh air.
Global risk and security leader William Dixon described M&S’s response as “textbook cyber crisis communications”, applauding the retailer for taking ownership of the issue, while letting customers know exactly “what happened, and how it affects them”.
“It acknowledges the incident without dramatising it, and emphasises that all core services are still running,” he said.
Cyber and Fraud Centre CEO Jude McCorry also highlighted the “clear, concise, factual” communication.
“M&S are the victims,” she added. “No one knows what really happens, and hopefully, because they have been great at communicating so far, they might let us know what really happened so others can learn.”
Honesty and trust
But it’s the customer response to M&S that is the most interesting. Almost everywhere – yes, even on X – shoppers are thanking M&S for the clear, uncomplicated, honest response. Even when they’ve been queueing for hours or had to abandon trolleys full of food destined never to become an Easter roast, shoppers still believed that good old Marks & Spencer would make everything OK in the end.
In his note to shoppers, Machin emphasised that “customer trust is incredibly important”, and last weekend’s incident shows that M&S deserves its position as one of the UK’s most trusted and reputable brands.
Although it continues to manage the aftermath of the incident, and has yet to disclose specific details about exactly what happened, the retailer turned what could have very easily been a complete PR disaster into a masterclass in managing a high-profile problem.
Handled quickly, honestly and with the utmost respect for consumers, this wasn’t just any cyber incident. This was an M&S cyber incident.
1 Readers' comment