M&S restricts remote access and online orders after suspected ransomware attack

Marks & Spencer has suspended all online orders and has blocked remote workers from accessing internal systems following what is understood to be a ransomware attack by a criminal gang that has severely disrupted the retailer’s digital operations.

The high street giant announced on Friday it was blocking customers from placing orders through its website and app “as part of our proactive management of a cyber incident,” with shoppers currently only able to browse rather than purchase items online.

“We are truly sorry for this inconvenience,” M&S said in a statement. “We continue to manage the incident proactively and the M&S team – supported by leading experts – is working extremely hard to restore online operations and continue to serve customers well.”

The attack has prompted M&S to call in government cyber security experts, with the retailer confirming it is being advised by the National Cyber Security Centre, which is part of GCHQ. The company has also enlisted the help of CrowdStrike, the Silicon Valley cyber security giant, and has reported the incident to the National Crime Agency and the Information Commissioner’s Office.

In addition to halting online orders, the company has restricted remote workers from accessing certain IT systems in what cybersecurity researcher Kevin Beaumont described as “a usual first-stage containment step to cut off the threat actor,” in comments to The Times. Sources close to the company confirmed that while staff can still work remotely, access to internal systems has been significantly scaled back.

The attack began last weekend when M&S was initially forced to stop accepting contactless payments in stores, sparking customer complaints. Some shoppers claimed they had to abandon full baskets at checkouts, while others reported being held in queues outside stores. Contactless payments have since been restored.

Stuart Machin, the M&S chief executive, stated earlier this week that services such as contactless payments were taken down “to protect you and the business.” The retailer has maintained that customers do not need to take any action such as changing passwords or contacting their card providers in response to the incident.

The financial impact of the attack has been immediate, with M&S shares falling by 4 per cent since the company first acknowledged the incident on Tuesday. More than £500 million has been wiped off the retailer’s stock market value. The online order freeze will be particularly costly for M&S, which sold £1.3 billion of clothing and homeware online last year, accounting for around a third of total sales in those departments.