UK retailer Marks & Spencer has reinstated online orders for some customers, marking a major milestone in its recovery from a cyberattack in April.
According to an update to its website on Tuesday, “select fashion ranges [are] now available to buy online” in England, Scotland, and Wales.
It’s not a return to normal service yet, however. It said: “delivery to Northern Ireland will resume in the coming weeks,” and that only standard shipping was available to customers.
That standard shipping option also appears to be delayed, with the company saying orders will take up to 10 days to arrive whereas pre-attack they typically arrived in 3-5 days. For deliveries to army bases, these could take up to two weeks.
M&S said this was to help manage customer demand.
“For now, Click & Collect, next day delivery and nominated day delivery, and international ordering are unavailable. We’re working hard to resume these services as soon as possible.”
Click & Collect orders were among the first services M&S pulled offline following the attack. Initially the retailer explicitly said online and app orders were unaffected – but changed its tune just days later.
Since then, the company confirmed customer data was stolen during the attack, the nature of which has not been revealed, despite being strongly rumored to involve DragonForce ransomware.
It also estimated a £300 million ($404.7 million) operating profits loss for the next financial year, although it hopes to reduce this through cost mitigations, insurance and trading actions, it said in its accounts recently.
The admission followed reporting from the Financial Times that M&S was preparing to make a maximum claim on its cyber insurance policy worth around £100 million ($134 million).