“Back to Normal”… Erm, Not Quite.
Once again, a major UK retailer has provided a perfect demonstration of what can happen when the tightly coupled digital payment systems that underpin our seamless consumption lifestyle suddenly buckle. Millions of customers of Marks and Spencer, one of the country’s largest and oldest high street retailers, have had to endure a week of operational mayhem after the retailer suffered what it calls a “cyber incident.”
The problems began during the Easter weekend when M&S customers started reporting issues with contactless payments and online order delays. On Tuesday, the company confirmed that it was dealing with a “cyber incident.” Then, on Wednesday, it told the media that its customer-facing operations were back to normal. But that didn’t last long. A day later, it had little choice but to take some operations offline as part of its “proactive management of the incident.”
M&S has also paused click and collect orders and contactless payments. Staff at the company’s London HQ were also told to stop using the building’s wifi.
While M&S has notified data protection supervisory authorities and the National Cyber Security Centre (NCSC), it has not disclosed any concrete details about the nature of the cyber incident or whether customer data has been compromised. Meanwhile, no ransomware gangs or other threat actors have claimed responsibility for the attack, possibly because “the attackers are attempting to pressure M&S into paying an extortion demand,” said cybersecurity firm Cytex.
If ransomware is indeed behind the attack, that data will probably have been ransacked and is being used as additional leverage to compel payment. And when it comes to customer data, M&S has vast deposits of the stuff. The company has over 5 million store card holders while its Sparks loyalty scheme has over 16 million members globally, including millions of customers in India where it has roughly 100 stores.
The company’s stores have remained open throughout the week. However, it has stopped taking orders entirely through its website and app, which account for more than a third of its clothing and homeware sales, and contactless payments are still apparently unavailable in stores. As the BBC reported on Thursday, the chaos and uncertainty show no sign of letting up as the fallout from the “cyber incident” continues to hamper operations:
Contactless payments have since been restored, the BBC has been told, however this has been questioned by some customers.
BBC staff have described witnessing the impact of the suspension of contactless payments.
At Euston station, in London, shop staff were seen shouting that it was cash only as the payments system was down. Disruption was also seen in Glasgow, and a store at Edinburgh Haymarket seemingly closed early.
M&S says it had made the “decision to move some of our processes offline to protect our colleagues, partners, suppliers and our business”.
But stores remain open and customers could “continue to shop on our website and our app”, the statement added.
But confusion has reigned on social media amongst M&S customers.
The firm has responded to some posts on X (formerly Twitter) in the past few hours advising customers contactless payments can be taken in stores
However, this has been contradicted by some individuals, with one saying: “That is wrong – only chip and pin or cash is working”.
In other words, shoppers who exclusively use mobile payment apps for their purchases will have walked away empty-handed. According to UK Finance, a British trade association for the UK banking and financial services sector, as many as one-third of UK adults now use mobile contactless payments.
When it comes to embracing contactless payments in general, the UK is ahead of most of its peers, including the US, which explains why payment outages in the UK tend to take such a toll. Whereas contactless payments are becoming increasingly common in the US, they are more or less ubiquitous in the UK.
Contactless transactions in the UK surged from 6.6 billion in 2018 to 18.3 billion in 2023, according to a study by the credit card processor Clearly Payments. To put that in perspective, the US, a country with a population five times larger than the UK’s, registered a slightly lower volume of contactless transactions. The UK’s adoption rate for contactless payments, at 93.4%, is only bettered by Singapore (97%) and Australia (95%), according to Forbes.
Part of a Broader Trend
This is not the first time that IT system outages have caused problems on the British high street and retail parks. When Visa’s payment system for Western Europe suffered a 12-hour outage in 2018, the chaos it caused in the UK was particularly acute due to the fact that a staggering £1 in every £3 of all retail spending passed through Visa’s systems accounts — and that was seven years ago!
In May 2024, the supermarket giant Sainsbury’s suffered a massive outage that disabled contactless and mobile payments across all of its stores for an entire Saturday. Sainsbury’s blamed the outage on a software glitch that impacted its online ordering system and contactless in-store payments.
To compound matters, hours after Sainsbury’s system went down, Tesco, the UK’s largest supermarket chain, with some 4,000 stores, announced that it, too, was having to cancel online orders due to a “technical issue.” As we reported at the time, “in a country where the overwhelming majority of people have abandoned cash in favour of the speed and convenience of contactless payments and where banks have been closing branches and ATMs at breakneck speed, making it harder for their customers to access cash, the result was chaos.”
A couple of months later, when the Crowdstrike IT software glitch brought down global IT networks, the UK was once again disproportionately impacted. Four of the country’s largest newspapers — The Guardian, The Daily Telegraph, The Times and The Daily Mail — even ran articles on how the global IT outage had underscored the fragility of a cashless society. The Daily Mail plastered the message across its front page:
Warnings from Scandinavia
One of the most important arguments in favour of cash, which we keep banging on about, is the resilience it provides to a country’s overarching payments system. Put another way, cash does not crash. It does not fail in a power cut or seize up during a cyber attack or software outage (though, of course, ATMs might). By contrast, digital payment systems generally need a stable and continuous internet connection and power supply to process transactions. They are also vulnerable to cyber attacks.
This is a lesson central bankers in Sweden, one of the world’s most cashless economies, are frantically relearning. From our post, “The World’s Oldest Central Bank Keeps Sounding Alarm on Fragility of Cashless Economies. Are Other Central Banks Listening?”
After playing a part in the wholesale removal of cash from Sweden’s economy, the Riksbank is now trying to reverse some of the damage it has caused. It is not the only Scandinavian central bank to have flagged up the fragility risks of exclusively digital payment systems. In 2022, the Bank of Finland recommended that the use of cash payments be guaranteed by law. Like all Nordic countries, Finland is a largely cash-free economy. But like Sweden, it has begun to see the risks of going too far, too soon.
Since then, Norway has also brought in legislation that means retailers can be fined or sanctioned if they refuse to accept cash. The government has also urged citizens to “keep some cash on hand due to the vulnerabilities of digital payment solutions to cyber-attacks”. As The Guardian put it, “Nordic countries were early adopters of digital payments. Now, electronic banking is seen as a potential threat to national security.”
The same, unfortunately, cannot be said of the UK, where successive governments refuse to take any action to protect the use of cash in retail settings. It is also becoming more and more difficult to use cash to pay for basic services, including car parks, train buffets and leisure centres.
“The vast majority of the public want cash to be honoured as a payment,” said Ron Delnevo, chair of the Payment Choice Alliance, which campaigns for the long-term future of cash services. Delnovo pointed to a survey conducted by YouGov in June 2023 on behalf of the alliance revealed that 71% of British adults would support a legal requirement for businesses to accept cash.
An early day motion tabled in parliament in February called for the government to implement legislation to require all businesses in the UK to accept cash, but ministers have steadfastly refused.
This makes it all the more impressive that cash use has rebounded for the past two years despite the concerted efforts by the government, banks and retailers to limit its use. With a little luck, the past week’s mayhem at Marks & Spencer will help to accentuate this trend. One also hopes that companies are taking stock of these events and realising that their business continuity plans must contain analogue backups that allow transactions to continue with cash instore.
Thank you, Nick.
It’s not just regulatory capture. Business continuity just isn’t taken seriously by the government and firms.
That goes for energy security, too, despite Starmer’s “performance” a couple of days ago.
In November 2021, I was offered the post of head of operational risk and resilience policy, which includes cyber security, at the Bank of England. Two days before, I had accepted an offer, also financially better, from my current employer, which I sometimes regret.
I had three interviews, the first two included presentations by me, and was told that “this was an opportunity to raise the profile of the work and team as the governor wasn’t interested”.
It turns out that Whitehall isn’t either, as last year the post of head of cyber security at the Treasury came up for, frankly, a laughable (and same) amount for that level of personal risk (if something goes wrong).
In mid-March, I listened to the BBC give the CEO of Heathrow airport a hard time over the power outage. If the CEO spent money on business continuity, he would not have a job for long. It’s that simple, a point I made to the interview panel and explained how to get around it.
Thanks, Colonel. In researching for this post, I was staggered to learn that the annual Cyber Security Breaches Survey, released by the UK Government, revealed a decline in board-level responsibility for cybersecurity within businesses, even as cyber attacks continue to threaten companies at an unprecedented scale. From Security Brief:
Thank you, Nick.
I can imagine.
When presenting to the interview panel in November 2021, quick interview process, I highlighted the neglect and explained how and why the executives (CEO and head of risk) and non-execs (audit and risk committee) should be held to account and the responsibility imposed on them. If they don’t want the responsibility, they can’t have the job. I suggested some proportionality based on criticality.
It was made clear to me that my ideas would be a hard sell politically. I said I was happy to suggest and may be row back. I also said that I was well aware of the BS banks would come up with, being a bankster and former lobbyist.
I chatted with a headhunter last week. Apparently, firms are beginning to panic after new rules came into force last month, so I may move on.
Is this only a matter of cyber security (cyber attacks) or are there other possible failures on the systems which have to be dealt to ensure such business continuity? Software bugs, connectivity accidents, electric accidents etc. At least one of those problems listed by Nick looked like a bug in the system, not a cyber attack.
Yes, Ignacio, many of the biggest system outages have been a result of software glitches or botched updates, including the Crowdstrike outage that brought down global IT systems in July last year.
Bringing back cash is always a good idea but there must be systems in place to be able to handle it. I have seen a local supermarket close their doors during a power outage which upon reflection is ridiculous. All that food is still on the shelves. All the customers had the cash to buy that stuff. But because their digital cash registers could not connect to the internet much less power up, they were forced to shut their doors. The way to solve this would be to have cash registers that would operate like modern ones. But if the power supply or the net fell over, then they should be able to process payments through a battery powered backup system. Cards and contactless payments may be out of the question but cash would still be working just fine. Then when the power/net came back online, all the transactions kept on the flash drive could them be transmitted to update the company’s main computers.
Yup – but this type of thinking was apparently beyond the supermarket management’s ability. Instead they took the stupidest and simplest and most wasteful approach. What a gang of maroons. Wasn’t it Sainsbury’s that just shut down rather than come up with a simple solution? If so, it seems a good time to sell their stock considering the incompetence of management.
At least Marks and Sparks figured out how to handle cash transactions.
My mum used to work for woolworths back in the 90s. Their tills could still be opened and closed if there was no power. However, whenever there was a powercut she would end up being thr only person manning a till because no one else could do the sums in their head for calculating price and change and so on.
I was making a pit stop in a town in NZ a couple of years ago when the power went out across town. Couldn’t put gas in my car because the payment system on the pumps didn’t work, so we went to look for lunch to tide us over. But of course, most of the shops and restaurants were closed because they couldn’t process payment, either.
There was one Middle Eastern take-away place on the corner across from the gas station. Their register didn’t work, either, but they quickly pivoted to doing cash sales, and for an hour they were as good a monopoly as Amazon, feeding every hungry person in town. All because they were owner-operated and weren’t afraid to do the math in their heads! Then the power came back on and life went back to “normal”.
I shopped at M&S several times in the last week, including during the contactless outage. It was a minor distraction. You just had to insert your card. The employees didn’t know much about the cause. It did not seem to be costing them business.
Thanks for the heads-up, ThatGuy.
“It did not seem to be costing them business.”
This may well have been the case in the store you visited — one out of more than 1,000 in the UK. As M&S itself has admitted, it has paused taking orders from its website and app, which clearly suggests it is costing them some business. Just over a third of its clothing and homeware sales are made online. Once the dust settles, the company will presumably have to pay out compensation to the customers most affected. That’s before we even get to the question of what has happened to customer data…
Some other notes on my trip (I am from the US). 1. I did not spend any paper pounds. 2. The point of sale machines often asked if I wished to be charged in pounds or dollars. 3. Much of London is covered in small currency exchange shops, more than for souvenirs, almost as many as restaurants. I suspect remittances were part of their business. Given the ease of card use, l would be surprised if it was mostly paper currency conversion. Rates were typically posted for 5+ currencies, even at small shops.
Just asked my dad if he used card or cash when buying stuff recently at M&S. My long COVID Been awful so I can’t be good carer for mum. Thankfully he had been using cash to buy meals etc.
Meanwhile my white blood cell counts are terrible….. which in some ways makes me feel better…..FINALLY I have demonstrable evidence consistent with long COVID. Of course it also means I must largely self isolate because I’m heavily immunocompromised with very few white blood cells….. but that’s progress…. from certain point of view!
BTW if I’m quiet for a while please understand….. the NHS uses 5 letter codes for diagnoses or suspected diagnoses….. mine is a weird one but I tracked it down eventually….. it’s not a good one. NOT the most likely condition at this stage but it’s on their radar.
BTW I sent a link about another UK institution: Boots the chemist. 95% sure it’s gonna be shut down by private equity.