For many people (including me) the first sign that something was up with iconic British retailer Marks & Spencer over the Easter weekend was its website ‘playing up’ and not accepting online orders, from food to school uniform, while in store, customers were told that contactless payment was down. It soon became clear that the problem was bigger than not being able to tap and go with that packet of Percy Pigs or put in an order for a multipack of briefs: M&S was handling a cyber attack that continues to wreak havoc on its digital infrastructure.

Nearly two weeks later, M&S is still in the weeds: what initially appeared to be a temporary disruption has turned into a full-scale crisis. As of now, the company is still grappling with the aftermath, struggling to restore its systems while managing the public relations and reputational fallout.

The attack, which began on April 24, brought M&S’s online ordering systems to a halt, affecting both food and non-food deliveries. Customers were unable to place orders via the M&S website or mobile app, and essential services, including contactless payments in stores and return processes, were also impacted. The retailer's online operations have yet to fully recover, leaving customers frustrated by ongoing delays and disruptions.

M&S’s early crisis response was characterised by speed, transparency, and consistent communication. For the first few days, the company engaged customers directly, offering frequent updates and taking a proactive approach to manage expectations. CEO Stuart Machin took immediate action by publicly acknowledging the issue and issuing a heartfelt apology, not just for the inconvenience caused to customers, but for the distress felt by M&S’s employees as well.

On April 25, Machin issued a statement and apology on social media and via the M&S website – signed simply “Stuart” – stating: “I want to personally apologise to all of our customers for the disruption you’ve experienced over the last 24 hours. We are fully aware of how this has impacted your ability to shop with us, and we are working around the clock with leading experts to resolve this issue. We will continue to keep you informed and, as always, thank you for your patience.”

His communications have focused on reassurance, with Machin stating, “We are working around the clock with leading experts to resolve this issue. We will continue to keep you informed and, as always, thank you for your patience.”

This openness and directness was well received in the early days of the crisis. As Hayley Goff, CEO of Whiteoaks International, said: “In a crisis, silence is damaging as speculation and ‘fake news’ can spread in a matter of minutes. Speed is crucial. Machin was fast to acknowledge the issue to customers, send a sincere apology to them and its staff, and provide important information about what services were impacted.”

Tricia Fox, MD of Cunningly Good, also commended the retailer’s ability to maintain a calm, human tone in its statements: “Marks and Spencer lived true to their brand, keeping their communications around a significant cyber attack on their digital systems clean and simple. Reaching out to customers via social media channels in plain, on-brand, black and white messaging, their calm, empathetic and personal response was positively received by the public.”

Fox also observed M&S’s employees’ role in managing the crisis on the ground. During her visit to an M&S store, she witnessed staff engaging directly with customers, explaining the challenges the company was facing and offering alternative payment methods, such as cash. “The floor staff were actively engaging with customers, talking about the technology challenges, and customers were only too happy to dig out their wallets and pay by cash for a change,” she said.

Alan Morrison, owner of ASM Media & PR, also praised M&S for being proactive in its early  communications. “M&S has been exemplary in following some of the basic rules for reputational crisis management. Firstly, acknowledging the issue proactively – rather than responding to social or media reports – and contacting customers directly first,” he said. This early communication strategy allowed M&S to frame the narrative and provide clear, actionable information to customers.

Morrison also highlighted the effectiveness of M&S’s ongoing updates during the first week. “It’s also reassured that the ‘best experts’ are working on the problem and, importantly, apologised in advance for any inconvenience and kept customers updated on developments,” he said.

M&S’s leadership has been central to the company's ability to manage this crisis so far. Tamara Littleton, co-founder of crisis simulation company Polpeo, underscores the importance of strong, human leadership during such challenging times. “In the wake of a cyberattack, M&S managed to keep its reputation high on the street. Execution is everything in a crisis, and M&S gave it its all,” she said. Littleton emphasised the proactive steps taken by M&S, including taking systems offline to contain the breach, keeping customers updated across various platforms, and, most crucially, having the CEO personally lead the communication efforts.

“The early communications, including the much-needed apologies, came from the CEO,” she said. “Not only does this transparent and accountable style help to keep customer agitation at bay, but it also sends a signal to all concerned that the disruption was being solved by strong and stable leadership. This is what has got M&S through so far – genuine humanity at the helm that has genuine concern for their customer's experience.”

While many have praised M&S for its handling of the crisis so far, there has been some criticism from commentators. Paul MacKenzie-Cummins, MD of Clearly PR, pointed out that much of the negative commentary was unfounded. “Crisis comms is tricky. The ‘control the narrative’ stock phrase is pure gobbledegook and nigh on impossible to ever achieve. Yet, M&S has come extraordinarily close to doing just that." He believes that M&S’s initial  communication strategy, which focused on speed, transparency, and direct engagement, set a new standard for handling such crises.

However, as the crisis continues to unfold, M&S faces new challenges. The company has gone largely silent in recent days, since the initial flood of updates, as it focuses on resolving the technical issues caused by the cyberattack. One insider told Sky News this weekend that contrary to the apparent textbook crisis management, there had been “no plan” for a cyber attack, and the “chaos” of the situation was likely to continue for months, rather than days.

Stephen Waddington, founder of Wadds Inc, acknowledged the effectiveness of M&S’s early response but warned that prolonged silence could harm the brand’s reputation. “The initial response to the cyber attack was exemplary and clearly well prepared. But as the situation has developed, M&S has gone silent while it manages the situation. It’s the only approach it can take until it reaches a resolution and has something to say,” he said.

Waddington cautioned that M&S must be careful not to let customer and investor loyalty wane due to the lack of updates. “Customers and investors are remaining loyal because M&S has invested in its reputation, but stakeholders will start to lose confidence as the situation continues unexplained,” he added. However, he also noted that M&S’s crisis management approach has provided a solid foundation for recovery.

There’s no doubt that M&S’s financial standing has already taken a significant hit. The company's share price fell by 7% in the wake of the disruption, leading to a loss of approximately £700 million in market value. As of today, the share price has remained volatile, trading at £373.00, which is approximately 11.2% below its 52-week high of £417.80 – just two days before the crisis hit.

While M&S’s crisis continues to unfold, it is not alone in facing the growing threat of cyberattacks. Another high-profile British retailer, Harrods, also recently experienced a cyberattack, raising more questions about the adequacy of cyber defence strategies within the retail sector.

M&S is also under investigation by the National Crime Agency and Metropolitan Police, with the attack being linked to the hacking group Scattered Spider. The retailer’s approach so far of keeping quiet on the exact nature of the attack and how it played out will not be sustainable for much longer.

On the plus side, Marks & Spencer’s response to the cyberattack has so far demonstrated resilience, leadership, and a commitment to customer satisfaction. The brand's early communications were widely praised for their clarity and transparency, and in setting a benchmark for crisis management. M&S will be hoping that its proactive approach will maintain customer loyalty – and its reputation as a trusted and reliable retail brand – amid significant operational disruption.

But the long-term impact on M&S’s brand and financial performance will only become clear once the situation is resolved. With online orders still on pause nearly two weeks after the initial attack, it’s still not at all apparent whether, in retrospect, a play on the brand’s well-known food strapline – “This isn’t just crisis communications, it’s M&S crisis communications” – will turn out to be high praise or arch criticism.