Personal Finance

When will online orders be accepted by MandS again?

By James Mackreides 13 May, 2025
When will online orders be accepted by MandS again?
For over two weeks, customers have been unable to place orders on the M&S website due to a cyberattack that compromised payment systems and resulted in the theft of customer information

When will normalcy return?

Customers are still unable to place orders on the Marks & Spencer website, and the retailer has disclosed that a cyberattack last month resulted in the theft of some personal customer data.

Since April 25, online orders have been "paused" on the M&S website and app. The high-street behemoth disclosed today that the hack also resulted in the theft of some customer information, such as contact information and birth dates.

M&S claims that although no usable payment or card information or account passwords were taken, the stolen personal information may have included online order histories.

Today, May 13, the M&S app appears to be unavailable. BFIA has observed instances of users logging out and then receiving the message, "We apologize, but you are unable to access the app at this time. I hope to return soon.

The retailer is still having trouble with in-store stock availability, as evidenced by some stores' chiller units and empty shelves.

As a result of the cyberattack, M&S's market value has dropped by over a billion pounds, and its share price has fallen by nearly 18 percent.

The issues at M&S started over the Easter weekend when customers couldn't scan their M&S Sparks loyalty card, use contactless payments, or use gift cards. The business acknowledged that it was coping with a "cyber incident," and while those services have been restored, it ceased accepting online orders on April 25.

After over two weeks, the retailer claims that it is still unsure of when online orders will be accepted again, whether through the website, app, or phone.

The "ongoing problems show just how dangerous cyberattacks can be," according to consumer expert Martyn James, and M&S's profits will suffer greatly as a result of the empty shelves and suspension of online orders.

"The group is estimated to be losing about 4 million in sales every day due to the suspension of the online service," says Richard Hunter, head of markets at Interactive Investor. "The CEO will be hoping to provide some more positive news along with the numbers, if not before, as the full-year results are due next week.

We examine the current state of online orders, customer advice, and the continued value of investing in M&S, one of the most well-liked stocks in Britain.

When will M&S resume accepting online orders?

When would M&S resume taking orders online? BFIA asked. There is currently no update on this, according to what we were told. Customers can still browse the website and add items to their online basket, but they are unable to check out.

The suspension of online orders began on April 25. M&S announced on its social media platforms on May 2 that it was "working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible."

The retailer told BFIA on May 12 that it had not heard anything since this statement and was unable to predict if online orders would start up again later this month.

When a number of BFIA team members attempted to open the M&S app on their smartphones on May 13, they were greeted with the following message: "We apologize, but you are unable to browse the app at this time. I'll be back quickly.

Sparks' offers have also been halted; according to M&S, "they will be back shortly and shared in the normal way."

The retailer reported that stock availability had significantly improved in recent days and that it was making every effort to make it even better.

In order to draw attention to stock shortages, numerous customers have shared images of empty M&S shelves on social media.

What information about customers has been stolen, and what should I do?

M&S has sent letters to every customer for whom it has email addresses alerting them to the theft of some personal information.

This could contain their name, birthdate, phone number, home address, household details, email address, and past online purchases.

In a May 13 update, M&S stated: "It is important to note that there is no proof that this data has been shared, and it does not contain any account passwords or usable card or payment information, so customers do not need to take any action.

The next time a customer visits or logs into their M&S . com account on the website or app, they will be asked to reset their password for "extra peace of mind," the statement added.

In an email to consumers, M&S operations director Jayne Wall stated: "Be careful because you may receive calls, texts, or emails purporting to be from M&S when they are not.

It is important to note that we will never get in touch with you to request personal account information, such as usernames or passwords.

At Hargreaves Lansdown, Susannah Streeter, head of money and markets, says the theft of customer data is "not surprising, given the deep nature of the breach, but it's yet another setback for the company, which is trying to minimize damage to its reputation."

"The good news is that the compromised data does not contain payment information or card details that can be used, and passwords have not been compromised," she continues.

The issues with M&S have affected me.

What rights do I have? M&S advises consumers who have questions or grievances to contact customer service. 0333 014 8555 is the customer service number. You can also visit the help and support website.

Messages can also be sent to M&S's X account.

Some customers impacted by cancelled orders, such as celebration cakes that were abruptly canceled, have received gift cards from the retailer. Depending on the impact of the cyberattack, you might be eligible for compensation or a goodwill gesture.

"You have two types of loss when it comes to cyberhacks or a business that can't function normally: direct loss (you paid for something but it never showed up) and consequential loss (you bought a gift that wasn't delivered on time so a birthday was ruined)," says Martyn James.

"Refunds should always be given for direct losses. The concept of consequential loss is complex. As a result, you should receive the money if your gift card expired because you were unable to use it.

Still, it's difficult to measure if your mother didn't receive her birthday gift on time. Don't get too worked up over it, but you can request a "gesture of goodwill" to make up for the missed occasion.

What impact does the cyberattack have on shareholders of M&S?

Since news of the cyberattack broke, the price of M&S shares has fallen by over 15%.

Investors are primarily concerned because, "despite the company's frantic efforts in the background, there have only been a couple of updates from M&S, which has heightened nerves around the severity of the attack," Hunter of Interactive Investor tells BFIA.

But even with the recent drop, Interactive Investor reports that the shares are still up 27% over the past year and 113% over the last two.

"M&S has made a strong comeback into the fashion industry with both investors and consumers, and its transformation builds on its food business, which was already its crown jewel. Hunter says the company has not been resting on its laurels, as evidenced by additional changes to its store rotation program, increased investment in smaller categories like home and beauty, a focus on improving its online offering, and a restart of its international business.

"By the same token, the clock is ticking, and not only will M&S need to reassure investors that corrective actions have been taken, but also that they will have a stronger line of defense to prevent this happening again," he continues, even though the market consensus for the shares is still positive and suggests a buy.

Although the current state of affairs will cause "considerable financial pain for M&S," there might be some silver linings, according to Streeter at Hargreaves Lansdown.

For instance, the partnership with Ocado "should also offer resilience, with online grocery orders unaffected by the problems as they are run on an entirely separate system," and the warmer weather is expected to boost food sales at places like barbecue and picnic areas.

"With anecdotal evidence that some shoppers have gone the extra mile and are shopping more in M&S stores in a show of support, the increased customer loyalty during the hack attack will also have been heartening to the company," Streeter continues.

Who was in charge of the online attack?

Although we know it was a ransomware attack, M&S has not disclosed the identity of the attacker responsible for the attack on its systems.

Once it has gained access to a company's computer systems, this kind of malicious software is used to jumble data or files. To get a company to pay a ransom, hackers frequently threaten to sell or leak the data.

The BBC was told by a group called "DragonForce" that it was behind the attack on M&S, the Co-Op (allegedly stealing vast amounts of employee and customer data), and the attempted hack of Harrods.