“Back to Normal”… Erm, Not Quite.
Once again, a major UK retailer has provided a perfect demonstration of what can happen when the tightly coupled digital payment systems that underpin our seamless consumption lifestyle suddenly buckle. Millions of customers of Marks and Spencer, one of the country’s largest and oldest high street retailers, have had to endure a week of operational chaos after the retailer suffered what it calls a “cyber incident.”
The problems began during the Easter weekend when M&S customers started reporting issues with contactless payments and online order delays. On Tuesday, the company confirmed that it was dealing with a “cyber incident.” Then on Wednesday it told the media that its customer-facing operations were back to normal. That didn’t last long. A day later, it had little choice but to take some operations offline as part of its “proactive management of the incident.”
M&S has also paused click and collect orders and stopped contactless payments being made. Staff at the company’s London HQ were also told to stop using the building’s Wi-Fi.
While M&S has notified data protection supervisory authorities and the National Cyber Security Centre (NCSC), it has not disclosed any concrete details about the nature of the cyber incident. Meanwhile, no ransomware gangs or other threat actors claimed responsibility for the attack, possibly because “the attackers are attempting to pressure M&S into paying an extortion demand,” said cybersecurity firm Cytex.
If ransomware is indeed behind the attack, that data will probably have been stolen and is being used as additional leverage to compel payment. And when it comes to customer data, M&S has huge reams of the stuff. The company has over 5 million store card holders while its Sparks loyalty scheme has over 16 million members globally, including millions of customers in India where it has roughly 100 stores.
The company’s stores have remained open throughout the week. However, in its announcement on Thursday, M&S said it had stopped processing contactless payments, had paused the collection of click and collect orders in stores, and warned of delays to online order deliveries. As the BBC reported on Thursday, the chaos and uncertainty show no sign of letting up as the fallout from the “cyber incident” continues to hamper operations:
Contactless payments have since been restored, the BBC has been told, however this has been questioned by some customers.
BBC staff have described witnessing the impact of the suspension of contactless payments.
At Euston station, in London, shop staff were seen shouting that it was cash only as the payments system was down. Disruption was also seen in Glasgow, and a store at Edinburgh Haymarket seemingly closed early.
M&S says it had made the “decision to move some of our processes offline to protect our colleagues, partners, suppliers and our business”.
But stores remain open and customers could “continue to shop on our website and our app”, the statement added.
But confusion has reigned on social media amongst M&S customers.
The firm has responded to some posts on X (formerly Twitter) in the past few hours advising customers contactless payments can be taken in stores
However, this has been contradicted by some individuals, with one saying: “That is wrong – only chip and pin or cash is working”.
In other words, the legions of shoppers who exclusively use mobile payment apps for their purchases will have walked away empty-handed. According to UK Finance, a British trade association for the UK banking and financial services sector, as many as one-third of UK adults now use mobile contactless payments.
When it comes to embracing contactless payments in general, the UK is ahead of most of its peers, including the US, which explains why payment outages in the UK cause so much chaos. Whereas contactless payments are becoming increasingly common in the US, they are more or less ubiquitous in the UK. Many of my friends from the UK happily boast about not having used cash since the pandemic. Judging by this Reddit thread, it’s a generalised trend.
Contactless transactions in the UK surged from 6.6 billion in 2018 to 18.3 billion in 2023, according to a study by the credit card processor Clearly Payments. To put that in perspective, the US, a country with a population five times larger than the UK’s, registered a slightly lower volume of transactions. The UK’s adoption rate for contactless payments, at 93.4%, is only bettered by Singapore (97%) and Australia (95%), according to Forbes.
* For some reason the study doesn’t seem to treat China’s mobile QR code payments as contactless, which is why it under performs both the UK and the US. In China, According to a 2023 survey by the Payment & Clearing Association of China, the penetration rate of QR code payments in China is 92.7 per cent.
The UK Financial Conduct Authority is even considering scrapping the cap on contactless card payments, which limits the amount shoppers can spend on one purchase to £100. The limit is currently in place to reduce the risk of fraud and ensure consumers can make secure payments.
Removing it would bring the UK in line with the US, where there is no fixed limit. It would also make it even easier for British consumers to spend their money, which would be great news for retailers. The frictionless experience of just tapping and going not only reduces checkout times but also makes it easier for people to spend their money, or bank credit, without thinking about it.
That is also good news for banks. The amount of credit card debt in the UK — and household debt in general — has ballooned so much that it is cutting into people’s ability to get a mortgage, reports the FT. Outstanding balances on credit cards grew at an annual rate of 9.9% in the 12 months to March 2024, according to data from UK Finance.
Most of the articles on the issue in legacy media pin the blame on the cost of living crisis and recent rises in interest rates, while the fact that spending money is quicker, easier and more “painless” than ever — and is about to get even easier — is routinely ignored.
The UK’s love affair with contactless payments comes with another hefty price tag: increased fragility. As regular readers know, this is not the first time that problems with digital payment systems have caused mayhem on the British high street and retail parks…
Read the full article on Naked Capitalism
Nick Corbishley 