Currently there appears to be a relatively significant cyber security incident at Marks and Spencer. So I thought I would give a demo of using AI (LLM, GROK) to create a timeline:
(since this is generated by an LLM please take this with a health pinch of salt, I wanted however to show the actual content and method I’ve used so people can understand it)

This is what it created:

The Marks & Spencer (M&S) cybersecurity incident that began in April 2025 caused significant disruptions to its store operations, particularly affecting contactless payments and click-and-collect services. Below is a detailed timeline of the incident based on available information, presented in chronological order with key developments and responses. All times are in BST unless otherwise noted, and the timeline focuses on events reported up to April 26, 2025, the current date.
Timeline of the Marks & Spencer Cybersecurity Incident
Saturday, April 19, 2025 (Easter Weekend)
Event: Customers begin reporting issues with M&S store operations, specifically with contactless payments and click-and-collect services. Social media posts highlight problems, such as a shopper in Plymouth unable to collect an online purchase or return an item due to tills being down. Another customer in Beckenham, London, reports similar issues with pickups and returns.
Details: This appears to be an initial, separate technical issue affecting contactless payments, distinct from the broader cyber incident later confirmed. M&S does not yet publicly acknowledge these issues as a cyberattack.
Monday, April 21, 2025
Event: The cybersecurity incident begins, impacting contactless payments and click-and-collect services across M&S stores nationwide. Customers report widespread disruptions, including inability to use gift cards or vouchers in some stores.
Details: Shoppers continue to voice frustrations on social media, describing operational chaos, such as stores unable to process returns or hand over click-and-collect orders. M&S has not yet publicly confirmed the cyber incident, but internal awareness of the issue likely begins around this time.
Tuesday, April 22, 2025
Morning (Before 14:31 BST):
Event: M&S officially confirms the cybersecurity incident in a filing with the London Stock Exchange and notifies relevant authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
Details: The retailer states it has been “managing a cyber incident” for the past few days, necessitating “minor, temporary changes” to store operations to protect customers and the business. Stores remain open, and the website and app are reported as operational. M&S engages external cybersecurity experts to investigate and manage the incident.
14:31 BST:
Event: Reuters reports M&S’s acknowledgment of the cyber incident, noting temporary operational changes but no specifics on the nature of the attack.
14:57 BST:
Event: The Guardian publishes a report detailing the incident’s impact on contactless payments and click-and-collect services, with M&S apologizing for delays. The retailer suggests no customer data has been accessed and assures customers no action is needed.
15:20 BST:
Event: TechCrunch reports on the incident, citing a customer notice from M&S CEO Stuart Machin. The notice confirms the cyber incident and ongoing operational changes, with stores open and the website/app functioning normally. One customer reports in-store payment card terminals failing.
16:01 BST:
Event: A post on X by 
@TheLawMap
 highlights M&S’s apology and the incident’s impact on contactless payments and online orders, noting the NCSC’s involvement.
18:17 BST:
Event: BBC News reports customer complaints about disrupted click-and-collect services, contactless payments, and voucher usage. M&S reiterates its engagement with cybersecurity experts and the NCSC. An ICO spokesperson confirms they are assessing information provided by M&S.
18:27 BST:
Event: The Irish Independent reports M&S’s apology, noting restored contactless payments but ongoing disruptions to click-and-collect orders and returns. Cybersecurity expert Jake Moore comments on the incident’s public impact, suggesting no customer data was compromised.
19:49 BST:
Event: A post on X by 
@cetsat
 references M&S’s apology for the cyberattack, which disrupted contactless payments over the Easter weekend.
Wednesday, April 23, 2025
00:26 BST:
Event: BleepingComputer reports M&S’s disclosure of the cyberattack, emphasizing disruptions to click-and-collect services and the involvement of external cybersecurity experts. No specific details on the attack’s nature are provided.
03:08 BST:
Event: The Mirror reports on the incident’s impact on contactless payments and online orders, quoting M&S’s statement about “minor, temporary changes” and customer frustrations over poor communication.
04:46 BST:
Event: The Register reports M&S’s tight-lipped stance on incident details, confirming click-and-collect disruptions via an email from CEO Stuart Machin. The retailer notes no customer action is required and highlights NCSC and ICO notifications.
09:05 BST:
Event: The Daily Mail describes customer “pandemonium” over the Easter weekend due to disrupted services. CEO Stuart Machin’s social media message apologizes and confirms ongoing issues with click-and-collect.
11:20 BST:
Event: SecurityWeek reports M&S’s service disruptions, speculating about a possible ransomware attack due to the nature of the impact, though unconfirmed. The retailer continues to withhold detailed information.
11:59 BST:
Event: TechRadar advises customers to change passwords and stay vigilant for phishing scams, despite no confirmed data breach. No cybercrime group has claimed responsibility, and M&S has not clarified the incident’s nature.
13:42–21:41 BST:
Event: Posts on X by 
@syedaquib77
 provide threat alerts, suggesting possible ransomware involvement or organized crime targeting retailers during peak periods. These posts speculate on attribution but lack official confirmation.
20:15 BST:
Event: Dark Reading reports M&S’s notification to the ICO and NCSC, with no threat actor identified. The retailer assures customers no action is needed but provides no further details.
23:55 BST:
Event: M&S publishes an update on its corporate website, confirming ongoing operational changes, including suspended contactless payments and click-and-collect services. The retailer has moved some processes offline to protect its network, a move consistent with ransomware response strategies. M&S expresses gratitude for customer support and notes industry-leading experts are assisting.
Thursday, April 24, 2025
07:27–12:28 BST:
Event: Posts on X by 
@TechnicalNewsHQ
 highlight the incident’s scale, affecting M&S’s 1,000 UK stores, with chaos from disabled contactless payments and delayed click-and-collect services.
18:30 BST:
Event: The Register reports that contactless payments remain down, and click-and-collect orders are suspended. M&S confirms moving internal processes offline, aligning with ransomware mitigation tactics, though ransomware is not officially confirmed.
18:38 BST:
Event: Computer Weekly notes that contactless payments and click-and-collect services are still unavailable 72 hours after the incident’s start. M&S receives praise for transparent communication but faces speculation about ransomware. Cybersecurity expert Vonny Gamot warns of potential phishing scams exploiting the incident.
Late Thursday (Exact Time Unspecified):
Event: M&S restores contactless payments in stores, though some customers question the reliability of this claim. Click-and-collect services remain disrupted.
Friday, April 25, 2025
08:05 BST:
Event: Bloomberg reports that M&S has paused all online orders on its website and app as part of its “proactive management” of the cyber incident. The company’s shares drop by 4.3% in London trading.
11:15 BST:
Event: BBC News reports further chaos for shoppers, with M&S confirming the suspension of contactless payments and click-and-collect services. Some stores, like Edinburgh Haymarket, close early, and staff at London’s Euston station announce cash-only payments. Contactless payments are reportedly restored, but customer skepticism persists.
14:28 BST:
Event: BBC News reports that M&S has entirely halted online orders across its website and apps, including food and clothing, and will refund orders placed on Friday. The retailer’s shares fall by 5% but later recover slightly. M&S apologizes on X, emphasizing efforts to restore online operations with expert support. The NCSC and National Crime Agency are assisting. Cybersecurity expert Nathaniel Jones notes the attack’s severe impact on revenue streams.
14:37 BST:
Event: Reuters reports the online order suspension in the UK and Ireland, with M&S’s shares down 5%. The retailer confirms some international websites are also pausing orders.
15:36 BST:
Event: The Guardian reports that M&S has halted all online orders, with contactless payments restored late Thursday. Security experts warn of scammers exploiting the incident, and Nicholas Found from Retail Economics calls it a systemic risk for the retail sector. Customers can browse online but cannot place new orders; existing orders can be collected once notified.
Saturday, April 26, 2025 (Current Date)
Morning (As of 11:16 BST):
Status: Online orders remain paused on M&S’s website and apps in the UK and Ireland, as per the latest reports. Stores are open, and customers can shop in-person using cash or card. Contactless payments are reportedly restored, though some disruptions to click-and-collect services and online order deliveries may persist.
Ongoing Efforts: M&S continues to work with leading cybersecurity experts, the NCSC, and the National Crime Agency to investigate and mitigate the incident. No official confirmation of the attack’s nature (e.g., ransomware) or any customer data breach has been provided.
Customer Guidance: M&S maintains that no customer action is required but advises vigilance for phishing scams. Experts recommend changing passwords and monitoring bank accounts as a precaution.
Key Observations and Context
Nature of the Incident: M&S has not disclosed whether the incident involves ransomware, though experts speculate this due to the offline movement of processes and the timing during a high-traffic Easter period. No cybercrime group has claimed responsibility, and no customer data breaches have been confirmed.
Impact: The incident disrupted contactless payments, click-and-collect services, and online orders, affecting M&S’s 1,000+ UK stores and some international operations. The suspension of online orders on April 25 marked a significant escalation, impacting revenue and leading to a 5% share price drop.
Response: M&S has been praised for transparent communication, promptly notifying customers, the NCSC, ICO, and investors. The retailer’s proactive measures, such as pausing online orders and moving processes offline, align with standard cybersecurity incident management.
Broader Context: The retail sector is increasingly targeted by cyberattacks, with ransomware cases rising 50% from January to February 2025. Similar incidents have hit Transport for London and Royal Mail in recent years, highlighting systemic vulnerabilities in retail’s omnichannel operations.
Notes
The timeline is based on publicly available reports and may not capture internal actions or unreported developments. M&S’s limited disclosure on the incident’s specifics leaves some gaps in understanding its full scope.
Customers are advised to monitor official M&S communications for updates and remain cautious of phishing attempts exploiting the incident.
If further details emerge after April 26, 2025, they may clarify the attack’s nature, impact, or resolution.
This timeline provides a comprehensive overview of the M&S cybersecurity incident as of the current date, drawing on credible sources to ensure accuracy and detail. For the latest updates, customers should refer to M&S’s official channels or trusted news outlets.

This is the current message here:
https://corporate.marksandspencer.com/media/press-releases/cyber-incident-further-update-0

and here:

https://corporate.marksandspencer.com/media/press-releases/cyber-incident-further-update

https://corporate.marksandspencer.com/media/press-releases

There are also updates to the Stock Market:

https://www.londonstockexchange.com/news-article/MKS/cyber-incident-update/16999905

I also used AI to generate a timeline with a tool I have created (with AI):
https://mr-r3b00t.github.io/soc_chef/tools/timeline_creator.html
That was by importing a JSON file created by GROK.

Hopefully they are getting all the support they need and the IT/IR teams are ok! Incidents are terrible, especially major ones.