Marks & Spencer has finally resumed its click and collect service following a hugely damaging cyber attack back in April.
The retailer also said it would now accept returns at any UK store, but warned that it was “experiencing processing delays” and “the quickest way to return an item is at one of our Fashion, Home & Beauty stores”.
Subscribe to MoneyWeek
Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE
Sign up to Money Morning
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
Chief executive Stuart Machin told the company's annual general meeting (AGM) in July that half of its online operations – including click and collect and some product availability – were still down, as it continued to recover from the cyber attack.
M&S’ annual results project a £300 million hit to its profits in the 2025/26 financial year as a result of the attack. This will only partly be covered by any insurance payout.
Susannah Streeter, head of money and markets at Hargreaves Lansdown, points out that today’s click and collect announcement is “a little behind the timeline set out at the company’s AGM in July” but that it was welcome news “after months of disruption”.
She adds: “It’s been a long, slow journey to regain operational fitness, but Marks and Spencer has finally rebuilt its digital muscle. The IT reboot and overhaul was also a chance to accelerate its digital transformation agenda, which is why it may have taken a little longer than initial forecasts.”
Is everything back to normal at M&S now?
M&S is slowly getting back to normal after the cyber attack, and the announcement that click and collect is available again is certainly good news.
This means customers can now place an order online or on the app and collect it from a store the next day.
Home delivery for online orders was already available after the retailer resumed the service in June.
M&S also says it will accept returns for online orders in all its UK stores. “This includes any orders placed when only postal and home collection return options were available,” it said.
However, things are not fully back to normal. For example, M&S says on its website that “due to high volumes of parcels on our post and home collection routes, we’re experiencing processing delays [...] The quickest way to return an item is at one of our Fashion, Home & Beauty stores”.
Customers have also reported poor product availability in certain stores, especially in fashion. For example, some items are only available in a small number of sizes.
Meanwhile, some products continue to be out of stock online ever since the cyber attack. This includes beauty items and products like silk pillowcases.
What happened in the M&S cyber attack?
M&S's problems began over the Easter weekend, with customers unable to use contactless payments, gift cards or scan their M&S Sparks loyalty card. The company confirmed it was dealing with a "cyber incident" and although those services resumed fairly quickly, on 25 April, it stopped taking online orders.
The high-street giant later revealed that some customer data, including contact details and dates of birth, was also stolen during the hack.
M&S said the personal information taken could include online order histories, but no usable payment or card details, or account passwords, were stolen.
Martyn James, a consumer expert, said the disruption showed “just how dangerous cyber attacks can be,” and that the empty shelves and suspension of online orders would be hugely damaging to M&S’s profits.
Bank of America previously estimated that M&S was losing £40 million in sales every week when the attack knocked out its online orders.
Following the hack, M&S wrote to all customers that it had email addresses for, informing them that some personal data had been taken.
This could include their name, date of birth, telephone number, home address, household information, email address and online order history.
M&S said in an update in May: “Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”
However, customers have been advised to remain cautious about receiving emails, calls or texts claiming to be from M&S.
Jayne Wall, operations director at M&S, said in an email to customers: “Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
Should you invest in M&S?
The cyber attack made a big dent in M&S’s share price. Between 23 April and their trough on 13 May, the shares fell 14.9%.
However, they have since staged a steady recovery as the business responded to the attack’s impacts. The resumption of online orders in June boosted optimism around M&S, and the click and collect announcement has further pleased investors.
According to Streeter, shares rose about 2% in early trading on 11 August, “an indication of slightly warmer sentiment towards the company”.
She comments: “But they remain 13% lower year to date. Investors will want to find out the full financial impact of the disruption, with previous estimates that it could cost as much as £300 million in lost sales and operational disruption. It is likely that this will be mitigated by insurance claims and cost efficiencies made elsewhere.”
Looking ahead, Streeter says M&S has enjoyed sales growth in the fashion, home and beauty divisions, while demand for M&S food remains robust, with increased volumes driving growth. “So, with the underlying performance remaining solid, and the harmful cyber attack in the rear-view mirror, it bodes well for M&S ahead.’’
Richard Hunter, head of markets at Interactive Investor, tells MoneyWeek that “M&S needs to reassure investors that it has a stronger line of defence to prevent [another cyber attack] happening again”.
He adds that there is plenty to be cheerful about with the retailer: “M&S has come strongly back into fashion with investors and customers alike, and its transformation builds on what was already its jewel in the crown, namely its food business.
"Further tweaks to its store rotation programme, more investment into smaller ranges such as home and beauty, while targeting an improvement to its online offering and a reset of its international business have all been signs of a business which has not been resting on its laurels.”
Who was responsible for the M&S cyber attack?
M&S has not revealed who or what was behind the cyber incident on its systems, but has previously acknowledged it was a ransomware attack.
This is a type of malicious software used to scramble data or files after gaining access to a business's computer systems. Hackers often threaten to leak or sell the data to pressure a company to pay a ransom.
In May, the National Crime Agency named the cyber-criminal collective Scattered Spider as a key part of its investigation.
Last month, four people were arrested by police investigating the cyber attacks at both M&S and the Co-op. Hackers stole huge amounts of customer and employee data at Co-op in April.
-
How much do retirees spend per year on average?Much of our working lives is spent planning for retirement, but how much do retirees actually spend?
-
Could the AI megacap bubble burst?The business cycle could be moving into territory where megacaps have historically lagged. Could this prompt the bursting of the AI megacap bubble?
