M&S completes latest step of cyberattack recovery

Marks & Spencer has reinstated its click and collect service, nearly four months after a major cyberattack forced the retailer to suspend online operations and in-store collections.

The disruption, which began on 25 April, affected both the website and mobile app, halting orders for clothing, home deliveries, and store pickups.

The cyberattack, attributed to the hacker group DragonForce, resulted in stolen customer data and caused notable shortages in physical stores. The incident is expected to reduce Marks & Spencer’s operating profit by approximately £300 million for the current financial year, though the company anticipates offsetting up to half of the losses through insurance and cost management. Online orders for home delivery resumed in June, but click and collect was the last service to be restored, with the company announcing its return on 11 August.

Archie Norman, chair of Marks & Spencer, described the attack as “traumatic” and an “out-of-body experience”, highlighting the extraordinary efforts required by staff to manage the fallout. Stuart Machin, the retailer’s chief executive officer, told investors in July that Marks & Spencer would be “over the worst of the aftermath of the incident by August”.

Police investigations into the attack have led to the arrest of four individuals in connection with the incident and similar cyberattacks on other UK retailers. Marks & Spencer continues to advise customers to remain vigilant regarding emails, calls, or texts claiming to be from the company, due to the theft of personal data.

With the gradual reinstatement of services, Marks & Spencer aims to recover both consumer trust and operational stability, even as rivals such as Next and Sainsbury’s have benefited from its recent difficulties.