Marks & Spencer’s contactless payments and click-and-collect services were disrupted by a ransomware attack on 21 April 2025, with the NCSC confirming vulnerabilities in retail cybersecurity infrastructure.
Marks & Spencer temporarily suspended contactless payments and click-and-collect services across UK stores on 21 April 2025 after confirming a ransomware attack. The National Cyber Security Centre (NCSC) verified the breach methodology aligned with patterns described in its 2024 Retail Threat Report. CEO Stuart Machin stated no customer data was compromised, though analysts estimate £15M in operational losses. This follows a May 2024 outage linked to third-party systems, occurring as the UK prepares new cybersecurity regulations for retailers.
Attack Disrupts Core Retail Operations
The 21 April incident paralyzed M&S’s IoT-enabled checkout systems for 14 hours, forcing manual transaction processing. NCSC investigators identified the ransomware variant as a modified version of the LockBit 3.0 codebase, adapted to target retail inventory APIs.
Regulatory Implications Emerge
UK Digital Infrastructure Minister Julia Lopez confirmed on 24 April 2025 that binding cybersecurity rules will mandate quarterly penetration testing for retailers with over £50M annual revenue. The regulations respond to IBM’s findings that 68% of UK retailers lack real-time breach detection.
Financial and Sector Impact
Bloomberg data shows M&S shares fell 3.5% post-incident, underperforming the FTSE 350 Retail Index. Competitors Tesco and John Lewis saw respective 1.2% and 0.8% declines, reflecting broader market concerns about retail cybersecurity readiness.
Historical Precedents in Retail Cybersecurity
M&S’s 2024 technical outage, caused by a compromised third-party logistics vendor, exposed supply chain vulnerabilities that persist in the sector. The NCSC’s 2024 report documented a 40% YoY increase in ransomware attacks targeting retail payment systems since 2022.
Parallels exist with Target’s 2013 data breach affecting 41 million customers, which prompted US retailers to adopt chip-and-PIN technology. However, UK retailers have been slower to implement zero-trust architectures recommended by cybersecurity experts.
