Retail giant Marks & Spencer has confirmed a cybersecurity incident, as customers report ongoing disruption and outages.
The British-headquartered retailer on Tuesday told customers in a notice, which TechCrunch has seen, that the company has been “managing a cyber incident” over the last few days. The notice, signed by chief executive Stuart Machin, said it was necessary to make operational changes “to protect [customers] and the business.”
The company said its stores remain open and its website and app are operating normally.
In a filing with the London Stock Exchange, Marks & Spencer said it had engaged external cybersecurity experts to investigate the incident, and also notified data protection authorities.
It is not immediately clear what the nature of the cyberattack is, or if customer data has been affected.
One customer told TechCrunch that in-store payment card terminals were not working for them. Several other customers reported on social media similar outages at various outlets and disruption to order pick-ups.
Marks & Spencer spokesperson Lucy Reynolds told TechCrunch that the company began limiting some of its operations on Monday, including store click and collect pick-ups and contactless payments. Contactless payments are working again, the spokesperson added.
The spokesperson declined to answer questions related to the cyberattack.
In response to one customer on X, Marks & Spencer said it was “working hard to resolve some technical issues in our stores.”
Marks & Spencer claims it serves 32 million customers every year, per its 2024 annual report.
Updated with responses from Marks & Spencer.
Zack Whittaker is the security editor at TechCrunch. He can be reached via encrypted message at zackwhittaker.1337 on Signal, or by email at zack.whittaker@techcrunch.com.
