In an unexpected and disruptive turn of events, UK retail giant Marks & Spencer (M&S) was forced to suspend all online orders following a severe payment processing meltdown. On what should have been a routine day for the high street favorite, shoppers were met with errors, declined payments, and an inability to place orders online. What started as a trickle of complaints soon turned into a flood, drawing attention from both media outlets and cybersecurity experts. This incident has raised serious concerns not just for M&S, but for the broader retail industry reliant on digital infrastructure.
With consumers increasingly depending on online shopping, especially from established brands like M&S, such disruptions can have massive ramifications. The sudden system failure didn’t just affect digital transactions—it triggered widespread confusion, impacted customer trust, and exposed potential vulnerabilities in payment technologies.
Timeline of Events
The chaos began on the morning of April 25, 2025. Customers attempting to make purchases through the M&S website and mobile app encountered failed payment processes, unresponsive buttons, and outright denial of transactions. Within hours, social media platforms were inundated with complaints, ranging from declined gift card codes to complete inaccessibility of checkout pages.
By midday, M&S issued a brief statement acknowledging the disruption. “We are aware of a technical issue affecting online payments. Our team is working urgently to resolve this,” they noted via their X (formerly Twitter) account. However, the statement did little to soothe frustration, as the problems persisted into the evening.
At around 3 PM, M&S made the call to temporarily shut down online order processing entirely, citing the need to “investigate a suspected cyber-related incident.
Scope of the Disruption
The payment meltdown wasn’t limited to just the online store. In a shocking extension of the problem, multiple in-store services were also hit. Contactless payment terminals reportedly stopped working in several M&S branches, with staff having to advise customers to pay by chip-and-pin or cash.
Click and Collect services—one of M&S’s major revenue streams—were also disrupted. Customers who had previously placed orders for in-store pickup found their purchases unavailable, and in many cases, even undelivered.
International M&S websites, particularly those catering to Ireland and mainland Europe, also experienced similar outages. Reports confirmed that the issue wasn’t localized—it had impacted the company’s global digital infrastructure.
Customer Experience
If there was one clear loser in this crisis, it was the average M&S shopper. Dozens of customers took to X, Facebook, and Instagram to share their stories—many of which revealed just how disruptive the outage was.
“I bought a birthday gift for my mum last night. It was meant to be delivered this morning. No confirmation, no updates, nothing,” one user posted. Another added, “I tried to use my M&S voucher at the self-checkout—error every time. Staff were lovely but had no idea what was going on.”
Others reported queuing for over an hour in stores only to be told that their Click and Collect orders couldn’t be located in the system. The chaos led to rising tempers, lost time, and, in some cases, customers abandoning purchases altogether.
M&S’s Response and Mitigation Efforts
To their credit, M&S didn’t remain silent for long. After their initial acknowledgment, the retailer issued multiple updates via their official channels throughout the day. The company confirmed that the incident was under urgent investigation and that cybersecurity experts had been brought in to assist.
A detailed statement followed in the evening, explaining that the issue stemmed from a suspected cyberattack targeting their payment infrastructure. “We believe this was a coordinated attempt to disrupt our operations. While no customer data has been compromised at this stage, we are taking this incident extremely seriously,” the statement read.
Engineers worked overnight to isolate the affected systems, implement patches, and gradually restore payment capabilities. By the next morning, limited services resumed, but the full extent of normalcy was still days away.
