Some M&S stores left with empty shelves after cyber attack

Some Marks & Spencer (M&S) stores person been near with bare nutrient shelves arsenic the retailer continues to conflict with a cyber onslaught affecting its operations.

Online orders person been paused connected the company's website and app since Friday, pursuing problems with contactless wage and Click & cod implicit the Easter weekend.

The BBC understands nutrient availability should beryllium backmost to mean by the extremity of the week.

Meanwhile, information experts accidental a cyber transgression radical calling itself DragonForce is down the mayhem.

The comparatively caller radical is expected to beryllium asking the supermarket for a multi-million lb ransom to bring the cyber onslaught to an end.

The BBC has asked M&S for comment.

"Based connected tracking of web enactment and ransomware groups, M&S are dealing with a ransomware pack who are attempting to extort them," said information researcher Kevin Beaumont.

Like each ransomware gangs, DragonForce uses malicious bundle to scramble the information connected arsenic galore of their victims computers arsenic possible. They besides usually bargain arsenic overmuch confidential accusation arsenic they tin to usage it arsenic a bargaining chip.

• What is ransomware and however does it work?

DragonForce started attacking victims worldwide astir August 2023.

It works connected what is known arsenic a "ransomware arsenic a service" model, meaning that immoderate cyber transgression tin rent the malicious bundle to infect victims' systems arsenic agelong arsenic they springiness DragonForce a cut.

It's not known who the idiosyncratic hackers liable for the M&S hack are but immoderate experts are pointing towards a loosely tally radical called Scattered Spider.

It is not wide however wide the bare shelves are but the retailer confirmed "pockets of constricted availability successful immoderate stores".

The disruption successful proviso has travel astir due to the fact that the steadfast has had to instrumentality immoderate of its food-related systems offline. It is utilizing antithetic processes to amended availability, truthful it tin run arsenic usually arsenic soon arsenic possible.

In M&S's Marble Arch store successful cardinal London, signs connected immoderate of the nutrient shelves that were missing items said: "Please carnivore with america portion we hole immoderate method issues affecting merchandise availability."

Dot, 52, who shops astatine M&S regularly, said immoderate of the shelves were rather empty.

"I was looking for my favourite biscuits and couldn't find them," she said.

Ken, 76, besides said the constricted banal was "definitely noticeable", though the unit were "perfectly charming" considering the cyber attack.

The steadfast is besides managing disruption to a tiny proportionality of products that it supplies to Ocado, which delivers M&S online orders and which is part-owned by M&S.

Although issues with contactless pay, Click & Collect and acquisition cards person since been resolved, customers tin inactive not spot online orders.

About a 3rd of M&S's covering and household goods income successful the UK are done its online platforms and were worthy immoderate £1.2bn, according to its latest fiscal results.

Although its stock terms was up somewhat connected Tuesday morning, it has fallen 4.6% implicit the past 5 days - with a notable dip connected Friday erstwhile the steadfast announced it was stopping online orders.

The problems travel during a engaged retailing period, arsenic customers hole for the bully upwind and acquisition outdoor plot equipment, barbecue items and enactment food.

The aftershocks of the cyber onslaught volition dent its profits, analysts person told the BBC, arsenic galore customers spell elsewhere to store instead.

Stopping online orders was "almost similar cutting disconnected 1 of your limbs", said Nayna McIntosh, erstwhile enforcement committee subordinate of M&S and the laminitis of Hope Fashion.

"It volition person been a precise hard determination to person made connected Friday and arsenic it enters into its 2nd week for them inactive to beryllium determination volition beryllium incredibly painful," she told the BBC.

But she added that M&S was a fashionable marque truthful customers were apt to springiness it immoderate leeway arsenic agelong arsenic they person transparency.

M&S has not disclosed the quality of the cyber attack.

"As portion of our proactive absorption of the incident, we took a determination to instrumentality immoderate of our systems temporarily offline," a spokesperson said.

"As a result, we presently person pockets of constricted availability successful immoderate stores. We are moving hard to get availability backmost to mean crossed the estate."

M&S is not the lone steadfast to endure disruption to its online systems successful caller times. Supermarket Morrisons faced problems with its Christmas bid successful 2024, portion banks Barclays and Lloyds were deed by outages earlier successful 2025.