Marks & Spencer restores Click & Collect after £300 million cyberattack
When Marks & Spencer finally announced that its Click & Collect service was back online on August 10, 2025, shoppers breathed a sigh of relief after months of disruption.
Behind that headline were a string of high‑stakes moves: the retailer’s online ordering platform, crippled by a ransomware cyberattack that began over Easter weekend, has now been stitched back together piece by piece.
How the breach unfolded
It all started on April 19, 2025, when customers in Birmingham reported that contactless payments at the checkout stalled. By the next day, the problem had rippled through the entire chain. Stuart Machin, CEO of Marks & Spencer, was forced to address the media, confirming a “significant cyber incident” without revealing details.
Just hours later, an email that appeared to come from an internal account warned that a group called DragonForce had taken control of the company’s servers. Security analysts quickly linked the intrusion to the Scattered Spider collective, renowned for its sophisticated ransomware kits.
By April 25, the retailer had taken the drastic step of shutting down its e‑commerce site completely, halting all online purchases while it tried to contain the breach.
The human cost behind the headlines
Chairman Archie Norman described the ordeal to a parliamentary committee in July as “traumatic” and “like an out‑of‑body experience.” He recalled staff pulling double‑shifts, cyber‑team members surviving on three hours of sleep per night for a week straight.
Meanwhile, the National Cyber Security Centre (NCSC) was called in to coordinate the response, and external forensic firms were hired to trace the malware’s path through the retailer’s network.
Customer data – names, email addresses, postal codes and dates of birth – were reportedly exfiltrated, prompting a wave of privacy concerns across the UK.
Step‑by‑step recovery
In late May, John Lyttle, Managing Director of Fashion, Home & Beauty, announced on LinkedIn that limited online ordering would resume, initially for standard UK delivery only.
- April 30 – Core payment gateways restored.
- May 15 – Inventory management systems back online for fashion and home goods.
- June 10 – Home delivery re‑opened to England, Wales and Scotland.
- July 20 – Northern Ireland deliveries reinstated.
- August 10 – Click & Collect fully functional.
The most stubborn piece was Click & Collect. That service relies on a tight choreography between the e‑commerce front‑end, warehouse picking software, in‑store payment terminals and the customer‑facing kiosk. When the ransomware encrypted the backend databases, every link in that chain broke.
According to a report in The Times, the complexity of those integrations meant engineers had to rebuild the API bridges from scratch rather than simply reinstall a backup.
Financial fallout and insurance claims
Marks & Spencer warned in May that the breach would cost roughly £300 million – about $400 million – in lost sales and remediation expenses. The company expects to recoup roughly half of that through insurance payouts and tighter cost controls.
Analysts at Google Threat Intelligence Group noted that the attack was part of a broader wave targeting retailers in both the UK and the United States, with sister incidents at Victoria’s Secret and United Natural Foods reported just weeks earlier.
Why this matters for the retail sector
The M&S episode is a cautionary tale for any retailer that has woven its sales funnel tightly around digital channels. When a single point of failure – in this case, a ransomware payload – hits the core, the ripple effects can shut down brick‑and‑mortar operations, erode brand trust and trigger multi‑million‑pound losses.
Beyond the balance sheet, the incident sparked a renewed conversation in the UK about mandatory cyber‑resilience standards for large retailers, a topic that is likely to surface in the next parliamentary session.
What’s next for Marks & Spencer?
Looking ahead, the retailer has pledged to invest £50 million in next‑generation security architecture, including zero‑trust networking and AI‑driven threat detection.
Stuart Machin told shareholders in the August earnings call that the company “has emerged stronger, with clearer protocols and a renewed focus on protecting our customers.” Whether that optimism translates into smoother digital experiences remains to be seen, but at least the Click & Collect queues are finally moving again.
Frequently Asked Questions
How does the cyberattack affect M&S customers today?
Most services are back, including Click & Collect, home delivery and in‑store payments. However, some customers may still notice delayed order confirmations while the company fine‑tunes its new security systems.
What caused the Click & Collect outage to last longer than standard delivery?
Click & Collect relies on a web of integrated systems – inventory, payment, and in‑store logistics. When the ransomware encrypted the central database, each link had to be rebuilt, adding weeks to the recovery timeline.
Who were the attackers behind the breach?
Investigators linked the attack to the DragonForce ransomware gang, working in concert with the Scattered Spider threat collective, both known for targeting large retail chains.
Will M&S customers see higher prices because of the £300 million loss?
The company says any cost pressures will be absorbed through efficiency drives and insurance payouts, not passed directly to shoppers, at least in the short term.
What steps is M&S taking to prevent a repeat incident?
M&S plans a £50 million upgrade to its cyber‑defence stack, adding zero‑trust access controls, AI threat‑monitoring and regular penetration testing across all digital touchpoints.
