When will M&S take online orders again?

Marks & Spencer has warned that its online services will continue to be disrupted until July following last month's cyberattack.

Shoppers have not been able to place orders on the M&S website or app since 25 April, and it had been unclear when online orders would resume.

Today, as part of the retailer’s financial results that confirmed an estimated £300 million hit to its 2025/26 operating profit as a result of the attack, M&S revealed that customers would not be able to order via its website or app for the next few months.

"We expect online disruption to continue throughout June and into July as we restart, then ramp up operations," said M&S.

Shares in M&S, one of the most popular stocks in the UK, have fallen more than 10% over the past month.

M&S's problems began over the Easter weekend, with customers unable to use contactless payments, gift cards or scan their M&S Sparks loyalty card. The company confirmed it was dealing with a "cyber incident" and although those services have resumed, on 25 April, it stopped taking online orders.

The high-street giant later revealed that some customer data, including contact details and dates of birth, was also stolen during the hack.

M&S says the personal information taken could include online order histories, but no useable payment or card details, or account passwords, were stolen.

Martyn James, a consumer expert, says the “ongoing problems show just how dangerous cyberattacks can be”, and that the empty shelves and suspension of online orders will be hugely damaging to M&S’s profits.

Bank of America estimates that M&S has lost £40 million in sales every week since the attack began.

We look at what’s happening with online orders, what customers should do, and whether it’s still worth investing in M&S.

When will M&S start taking online orders again?

On 12 May, MoneyWeek asked M&S when it would start accepting online orders again. We were told there was no update on this, and that customers can still browse the website and put items in their online basket, they just can’t check out at the moment.

Online orders have been suspended since 25 April. On 2 May, M&S put out a note on its social media channels saying it was “working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible”.

The retailer has now said that the “online disruption” will continue during June and July. Customers can expect a gradual return to normal.

Stuart Machin, chief executive of M&S, commented on 21 May about the cyberattack: “It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business.

“There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.”

In addition, Sparks offers have been suspended; M&S says “they will be back shortly and shared in the normal way”.

What customer data has been taken and what should I do?

M&S has written to all customers that it has email addresses for, informing them that some personal data has been taken.

This could include their name, date of birth, telephone number, home address, household information, email address and online order history.

M&S said in an update on 13 May: “Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”

However, it added that for “extra peace of mind”, customers will be prompted to reset their password the next time they visit or log onto their M&S.com account on the website or app.

Jayne Wall, operations director at M&S, said in an email to customers: “You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.

“Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”

‘I’ve been impacted by the M&S problems. What are my rights?’

M&S says customers should get in touch with customer service if they have a query or complaint. The customer service number is 0333 014 8555, or you can visit the help and support webpage.

You can also send a message to M&S’s X account.

The retailer has given out gift cards to some customers affected by cancelled orders, for example where celebration cakes were cancelled at the last minute. So, it may be possible to get compensation or a goodwill gesture depending on how the cyberattack has impacted you.

Martyn James says: “When it comes to cyberhacks or a business that can't operate as per normal, you have two types of loss: direct loss (you paid for something but it never turned up), and consequential loss (you bought a gift that wasn't delivered on time so a birthday was ruined).

“Direct losses should always be refunded. Consequential loss is complicated. So, if your gift card expired because you couldn't use it, that's a 'direct' loss and you should get the money.

“But if your mum didn't get her birthday present on time then it's annoying but it's harder to quantify. You can ask for a 'gesture of goodwill' to reflect the spoiled event, but don't get too excited.”

Thanks largely to the cyberattack, M&S shares are down 4.9% so far this year (as at 21 May). The share price gained 2.1% in the five days running up to its financial results announcement.

Richard Hunter, head of markets at Interactive Investor, tells MoneyWeek that while the market consensus of M&S remains positive, “by the same token the clock is ticking, and not only will M&S need to reassure investors that corrective actions have been taken, but also that they will have a stronger line of defence to prevent [another cyberattack] happening again”.

According to Aarin Chiekrie, equity analyst at Hargreaves Lansdown, “Marks & Spencer smashed full-year profit expectations, driven by strong growth in the food division”.

He comments: “While [the cyberattack is] frustrating for investors, the bigger picture needs to be kept in mind. The cyberattack is likely a one-off event, and the underlying business is performing well. M&S is gaining market share, improving profitability, and the balance sheet is in great shape.

“The ongoing negative headlines have caused the valuation to fall in recent weeks, and it now sits in line with peers, which doesn’t look too demanding given the above-average growth in food. This could mark an attractive entry point for investors willing to ride out some turbulence in the near term.”

Hunter adds that there is plenty to be cheerful about with the retailer: “M&S has come strongly back into fashion with investors and customers alike, and its transformation builds on what was already its jewel in the crown, namely its food business.

"Further tweaks to its store rotation programme, more investment into smaller ranges such as home and beauty, while targeting an improvement to its online offering and a reset of its international business have all been signs of a business which has not been resting on its laurels.”

Who was responsible for the cyberattack?

M&S has not commented on who was behind the hack on its systems, but we do know it was a ransomware attack.

This is a type of malicious software used to scramble data or files after gaining access to a business's computer systems. Hackers often threaten to leak or sell the data to pressure a company to pay a ransom.

A group known as "DragonForce" told the BBC it was responsible for the attack on M&S, the Co-Op (where it says it stole huge amounts of customer and employee data) and an attempted hack of Harrods.