Full Report
British retailer M&S continues to tackle a cyber incident with online orders now paused for customers
Analysis Summary
# Incident Report: Marks & Spencer (M&S) Cyber Incident Leading to Online Order Suspension
## Executive Summary
Marks & Spencer (M&S) experienced a cyber incident that began affecting services around April 22, 2025, initially disrupting contactless in-store payments and click-and-collect functionality. By April 25, the impact escalated, forcing the retailer to pause all online and app ordering capabilities as part of ongoing incident response and service restoration efforts. The full scope of the compromise, including data exfiltration, remains unknown.
## Incident Details
- **Discovery Date:** April 22, 2025 (Date the public disruption was confirmed)
- **Incident Date:** Unknown precursor activity; public impact noted around April 22, 2025.
- **Affected Organization:** Marks & Spencer (M&S)
- **Sector:** Retail
- **Geography:** United Kingdom (Implied by the retailer's base of operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-April 22, 2025 (Unknown)
- **Vector:** Unknown. The method of initial compromise is not specified in the report.
- **Details:** The incident began affecting technical services, leading to subsequent public disruptions.
### Lateral Movement
- **Details:** Not explicitly detailed, but the progression from minor service disruption (contactless payments) to a complete suspension of online sales suggests potential system-wide impact or successful pivot to critical backend services.
### Data Exfiltration/Impact
- **Details:** It is **unknown if any data was accessed** by unauthorized actors during the incident. The immediate impact was operational disruption to sales channels.
### Detection & Response
- **How it was discovered:** The incident was discovered internally, leading to public confirmation of a "cyber incident" around April 22, 2025.
- **Response actions taken:** M&S took proactive measures, including pausing online orders via M&S.com and the app on April 25, 2025, to manage the situation and facilitate restoration. Contactless payments were reportedly restored at most stores, though click and collect remained disrupted.
## Attack Methodology
*Note: As the specific technical details of the attack were not disclosed, the following fields are based on potential mitigation steps and the observed impact.*
- **Initial Access:** Unknown.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown. Incident severity suggests discovery of network/system components were likely performed.
- **Lateral Movement:** Unknown, but impact suggests movement beyond initial entry point.
- **Collection:** Unknown.
- **Exfiltration:** Unknown.
- **Impact:** Disruption of core business functions: contactless in-store payments, click and collect, and eventually, all online sales.
## Impact Assessment
- **Financial:** Expected to be significant due to the pause of all online and app sales, leading to immediate loss of revenue and operational costs associated with remediation.
- **Data Breach:** Unknown. Status of PII or financial data protection is unconfirmed.
- **Operational:** Significant disruption. Contactless payments partially restored; click and collect disrupted; all online/app ordering paused as of April 25. Stores remained open for browsing/in-person sales.
- **Reputational:** Negative impact stemming from prolonged service outages and public communication regarding the incident.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (None published)
- **File indicators:** N/A (None published)
- **Behavioral indicators:** Operational disruption suggests potential impact on payment processing systems and e-commerce platforms.
## Response Actions
- **Containment measures:** The decision to pause online orders suggests a segmentation or shutdown of potentially compromised systems related to e-commerce to prevent further operational damage or data loss.
- **Eradication steps:** Ongoing, focusing on securing backend services.
- **Recovery actions:** Work underway to restore click and collect services and bring the M&S.com and app ordering functionality back online.
## Lessons Learned
- **Key takeaways:** A cyber incident can rapidly escalate from affecting ancillary services (contactless payment) to compromising primary revenue streams (online e-commerce). Incident response must include rapid decision-making regarding service shutdowns for stabilization.
- **What could have been done better:** Proactive measures to detect or contain the threat before it required a full shutdown of online sales would have mitigated greater financial loss.
## Recommendations
- **Prevention measures for similar incidents:** Review segmentation between primary sales channels (in-store vs. online). Conduct comprehensive forensic analysis to determine the initial access vector and ensure all persistence mechanisms are identified and removed. Enhance monitoring on backend systems supporting payment processing and order fulfillment.