Full Report
Marks and Spencer has confirmed that it has been managing a cyber incident for the past few days which affected its contactless payments and click and collect services
Analysis Summary
# Incident Report: M&S Cyber Incident Disrupts In-Store Services
## Executive Summary
British retailer Marks and Spencer (M&S) experienced a cyber incident over several days leading up to April 22, 2025, which forced operational changes in stores. The incident primarily disrupted customer-facing services, including click and collect, contactless payments, and gift card usage. M&S promptly reported the event to regulatory bodies and engaged external cybersecurity experts for investigation and remediation.
## Incident Details
- Discovery Date: Prior to April 22, 2025 (Incident managed "over the past few days")
- Incident Date: Circa April 2025
- Affected Organization: Marks and Spencer (M&S)
- Sector: Retail
- Geography: United Kingdom
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred prior to April 22, 2025.
- Vector: Not publicly disclosed.
- Details: Attackers gained access leading to a widespread cyber incident managed by M&S.
### Lateral Movement
- Not disclosed, but necessary given the impact on multiple in-store services (payments, collection).
### Data Exfiltration/Impact
- Impact: Disruption to in-store customer services, specifically:
- Click and collect services.
- Contactless payments.
- Gift card usage.
- Data concerns were raised by customers regarding refunds processing, although the nature or extent of data exfiltration was not confirmed as the primary impact.
### Detection & Response
- Date/Time: Incident managed over the "past few days" leading up to the April 22 investor note.
- Response Actions:
- Reported to relevant data protection supervisory authorities.
- Reported to the UK’s National Cyber Security Centre (NCSC).
- Engaged external cybersecurity experts for investigation.
- Implemented "some small changes" to store operations to protect the business.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Unknown, though user concerns suggest potential interaction with payment/transaction systems.
- Exfiltration: Unknown, but reputation impact suggests potential data movement.
- Impact: Disruption of critical retail functions and point-of-sale operations.
## Impact Assessment
- Financial: Costs associated with incident response (expert engagement, operational remediation) and potential loss of sales due to service disruption.
- Data Breach: Type and volume of data directly compromised is *not confirmed* in the source material, though data protection authorities were notified.
- Operational: Significant disruption to key in-store services (Contactless payments, Click & Collect).
- Reputational: Caused customer inconvenience and concern, requiring public apology from the CEO.
## Indicators of Compromise
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Disruption of normal payment and collection processes.
## Response Actions
- **Containment measures:** Making "some small changes" to store operations (implying segmentation or service shutdown).
- **Eradication steps:** Ongoing investigation with external experts.
- **Recovery actions:** Working toward resolving issues affecting payments and collections; M&S CEO apologized and advised customers there was "no action they need to take at this time."
## Lessons Learned
- The reliance on digital in-store services (contactless, click & collect) creates significant operational fragility when incidents occur.
- Clear and timely communication to customers, even when details are limited, is crucial (achieved via CEO note).
## Recommendations
- Enhance network segmentation, particularly between corporate systems and customer-facing transaction/payment infrastructure, to limit the ripple effect of a compromise.
- Ensure robust, redundant systems are in place for core customer interactions (like payment processing) for rapid failover during cybersecurity events.
- Review and test incident response plans specifically covering disruptions to point-of-sale and collection services.