The cyber-attack at Marks & Spencer iscontinuing to cause chaos for shoppers, with no clarity yet as to when the retailer’s systems will be fully back up and running.
Website orders remain on hold for the fourth day in a row, and those affected also include customers waiting to collect orders or wanting to spend or buy M&S gift cards, as well as users of the retailer’s Sparks customer reward scheme.
The “cyber incident” began a week ago and has affected stores as well as its online business. Last Friday the companyhalted all orders through its website and apps.
By Monday evening this “pause” in taking orders – which also applies to people who try to buy over the phone – was ongoing. M&S said it was “working very hard to get operations back online”, but was unable to give any timeframes for when the problems would be fixed.
The retailer’s stores are still open and operating, and shoppers can still browse its website and app. Contactless payments are also back online in stores after they were affected by the cyber issue last week.
On its Facebook page, M&S has been telling customers that orders placed after last Wednesday (23 April) would be cancelled and refunded. It added that customers should receive an email to confirm this over the next few days, if they haven’t already.
If you are expecting to pick up a Click & Collect order over the next few days for an order placed before that date, M&S says you should wait for your “ready to collect” notification email before coming into the store to get the item.
However, some customers have posted messages in which they suggested they had been unable to pick up their orders, leading to “wasted journeys”.
Click & Collect is predominantly clothing and homeware. It appears the situation is slightly different for those who have ordered food items such as sandwich platters and party food. Some customers have been told that food orders have been arriving as normal, but the retailer has been unable to send “ready to collect” emails. It added: “If there are any issues, we’ll notify you by email, otherwise the food will be there for you as expected.”
On Monday, M&S told customers they could return items via a staffed till point in any of its Clothing & Home stores, and a member of staff would be able to issue the refund. Alternatively, you can amend your return method to post.
The retailer is not currently accepting returns at its M&S Simply Food locations.
Initially, the cyber-attack meant M&S wasn’t accepting gift cards payments in-store. However, posts on Facebook indicate that for a while at the weekend, they were available once again.
Sign up toBusiness Today
Get set for the working day – we'll point you to all the business news and analysis you need every morning
after newsletter promotion
But on Monday afternoon, the Guardian was told that the current position was that it was not possible to redeem or buy gift cards. Clearly that could change again.
Sparks is M&S’s customer reward scheme. However, some customers have reported that, for example, their Sparks account hasn’t automatically updated to reflect recent in-store spending, or they have Sparks offers they want to use but which are due to expire in a few days.
In posts on Facebook, M&S said it was working to get Sparks back online. In the meantime it was advising customers to keep hold of receipts as proof of spending, and to take screenshots of things such as offers.
Typically with an incident such as a cyber-attack, if there has been a data breach, the company or organisation will message its customers or employees to let them know that their personal information has – or may have been – accessed.
M&S customers say they have not received any such notifications, and the company has said there was “no need for [customers] to take any action”, suggesting their data has not been accessed.
Meanwhile, on Facebook, in response to a customer who asked if there was a risk that M&S credit card details had been compromised, and whether it was still safe to use the card in the company’s stores or elsewhere, a company representative replied: “It is safe to shop with M&S. We responded quickly and have taken appropriate steps to protect our customers and our business.”
Nevertheless, while we await more information, there is no harm in being extra vigilant when it comes to any calls or emails that you receive, particularly those seeking personal or financial information. Security experts have warned shoppers to watch out for scammers capitalising on the high-profile incident.
M&S has reported the incident to data protection supervisory authorities and the UK government’s National Cyber Security Centre.