M&S stops online orders as 'cyber incident' issues worsen Marks & Spencer has paused online orders for customers via its website and app as the UK retailer continues to wrestle with an ongoing "cyber incident." Contactless payments were halted earlier this week and Click & Collect orders temporarily suspended, yet until today M&S insisted it was continuing to support website and app …
@Doctor Syntax - yes, you do expect teh sensible cause of action is "fear the worst" when it is ransomware (or whatever "infection") - no matter how good you think your thraet monitoring setup is, if a part of your system has been broken into then it is a cause for concern & shutting off other things is sensible as
a) they may be infected & yiou ahve not noticed
b) not infected, but given time the attackers will likely compromise that too, so pull the plug before that happens.
... Yes it is a massive business expense being cautious, but the optimistic approach they have taken does not seem to be working that well
"I wonder how many of their customer still carry cash."
That would be me. Always have some cash with me when shopping.
Might be worth mentioning that they were not redeeming credit notes in addition to all the other stuff on Monday last at least. I always manage to pick the till queue that has someone ahead of me with a major problem...
I happened to have forgotten my wallet yesterday: my wife messaged me to tell me, and to ask me to pick up some food on the way home. M&S was easiest, so I ended up leaving twenty quids' worth at the till as I only had my phone on me; luckily there's a Sainsbury's sharing the same carpark who were happy to take my money. I doubt this is a major problem for M&S, as "old and middle class enough to shop in M&S, hipster enough to only carry a phone" is a tiny intersection, and even in this case it happened to be the first day probably in twenty years I hadn't got my wallet on me.
Had I had a card on me I would have been reluctant to insert it in their machine (fnarr), as if their IT is so screwed they can't accept contactless I wonder just how well they're going to process and protect my non-contactless data. The "whataboutcash" argument strikes me as a little besides the point: shops whose IT collapses to the point they can't accept contactless or card probably can't process stock transactions either, and without the ability to monitor in-store stock by counting sales they're in a world of pain greater than the small advantage of accepting cash. And in any event, few stores have the facilities to handle significant amounts of cash above the current, low, level of use.
M&S grocery stores have very few "human" tills left. The vast majority of transactions are cashless using the self-service tills.
So that's the grocery business crippled - but not closed.
The clothing and home part of the business has basically nothing that's under £20, and nobody carries more than £50 with them these days.
So that's the rest of the business closed entirely.
This incident is going to borderline bankrupt them.
There's M&S branches I can think of with anything from almost no to large numbers of cash-capable tills.
But as you say, few people carry any significant amount of cash and even in M&S's demographic a lot will carry essentially none.
So once a store is down to cash-only, even if it has the physical capability to handle it (some do) and even if it has the logistic and operational ability to handle it (most won't) the fact that people simply don't carry much cash will kill them. Loss of contactless while card remains working is less serious, because phone-only hipsters are rare.
M&S grocery stores have very few "human" tills left. The vast majority of transactions are cashless using the self-service tills.
There may be regional differences.
The ones round here (Gloucestershire/Warwickshire/Worcestershire) still have a decent mix of both types of tills. On Thursday morning they were still taking contactless payments without problems. In the cafe they apologised for the till being a bit slow, but explained that a cash payment wouldn't be any faster, the whole system was slow (but working). The self-service tills were running fine, with contactless payments.
What do people think this is? Ransomware? Whatever it is, it's been causing a headache for a number of days - It's pretty nuclear to shut down your e-commerce site!
For what it's worth, I used contactless in my local M&S yesterday to pay.
Probably a rough weekend ahead for the team involved in this. Good luck.
A while back, my online account had someone elses details. I wrote to them, and they denied that there was an error. I replied with full details of the other persons data, which they then seemed to accept.
Previous to this, there were rumours of a cyber incident :
http://metro.co.uk/2015/10/28/marks-spencer-website-goes-down-after-data-breach-5466135/
http://www.ibtimes.co.uk/marks-spencer-says-site-was-not-hacked-admits-data-breach-1526236
Now we have this one too.
Were they hacked last time or not ?
Was my issue another cyber problem, or a botched database system change ?
So, in general, they are crap.
This post has been deleted by its author
Standard playbook in retail to *immediately* shut down or isolate everything you can, especially if it's customer-facing. You need to buy yourself time to get organised and understand what you are dealing with. You can tell they did this because their store payments went to offline auth (which is why contactless and pay be phone stopped working). Their payments must route through their POS or store servers - which were / are? no longer connected to the central/cloud/etc host. If they have it back up, then they've either re-enabled the connection (unlikely in my experience), opened up for specific traffic, or have made changes so payment devices connect directly to the payment authenticator (this is what I would guess).
It's easy to poke fun of companies when this is happening, and speculate on their tech not being good enough etc. I think that is an unfair position and we tech workers know that at this very moment there are a bunch of our peers putting their entire lives on hold to protect the company they work for, to do everything and anything to protect their customers data and to protect their staff. M&S are obviously under attack by an organised group of criminals. And I for one am on M&S' side and hope they take whatever steps they must to fight back.
Good luck M&S and especially to the technology and business teams working non stop to recover. Those of us who know this game are with you in spirit, and I will be supporting you in person by going in to my local M&S tomorrow to buy something for dinner and perhaps grab a coffee. Keep going!
Not been in so don't know if it affects scan and shop. I normally avoid the apps and self service is used at M&S as our large store has very little human ones now. But the scan and shop is so useful I use it. Scan everything with my phone and as long as its under £45 I think it is, I can pay from the phone and just walk out. Its still really weird even though I've been using it for a year now, as I keep thinking someone is going to stop me, thinking I'm shoplifting.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
