Marks & Spencer has reinstated its click and collect service for the first time in nearly four months after a major cyberattack hit the retailer in April.
The company suspended online orders via its website and mobile app on April 25 after disruption over the Easter weekend as contactless payments and click and collect systems stopped working in stores.
While the retailer has gradually reinstated online ordering across key departments including fashion and home and beauty, the click and collect service — which allows customers to order online and pick up their items in M&S the next day — was the last to be restored.
M&S has not publicly commented on the cause of the delay, but click and collect depends on integration between online ordering platforms, inventory management, payment systems, and in-store logistics. The cyberattack is likely to have disrupted or corrupted these systems, making it risky to allow orders to flow through until everything was fully tested and secure again.
The ransomware attack, believed to have been perpetrated by the hacker group DragonForce, resulted in customers’ details being stolen and led to empty shelves in stores as inventory management systems were taken down to prevent further damage by the hackers.
M&S, which has refused to confirm whether or not a ransom was paid, said it expected the episode would cost about £300 million.
Archie Norman, the chairman of the company, previously said it hoped to recover some of the losses from insurance payouts.
Archie Norman, the chairman of Marks & Spencer
Appearing before MPs at a business and trade sub-committee meeting on July 8, Norman said it felt as though the hackers behind the attack were “trying to destroy” the retailer.
Norman, who has been the M&S chairman since September 2017, added that he believed DragonForce’s motives were “partly, undoubtedly, ransom or extortion”. He went on to describe the episode as “an out of body experience”.
• M&S staff share war stories of ‘toughest’ week after cyberattack
Later the same week, four people were arrested in connection with the M&S cyberattack and separate attacks on the Co-op and Harrods. Police arrested a woman, 20, in Staffordshire, two 19-year-old men in London and the West Midlands and a 17-year-old boy in the West Midlands. All were British citizens except for the 19-year-old man from the West Midlands, who is Latvian.
The cyberattack halted a hard-won turnaround at the retailer, led by Stuart Machin, the chief executive. Shares rose by almost 40 per cent last year and M&S reported in May that pre-tax profit was up 22 per cent to reach £876 million in the financial year to March 2025.