While the retailer was initially quick to inform customers of the breach, subsequent updates have been lacking.
Friday’s message from chief executive Stuart Machin saying sorry is the first public statement from the company for a week and only the third one it has put out in total. And there was no mention of when normal business would resume.
M&S has not commented on the nature of the cyber attack, which is not unusual in cases like this, but experts say the uncertainty risks damaging consumer trust in the brand.
“In today’s hyper-connected world, silence can be unsettling, particularly when trust and transparency are the most valuable commodities a brand can offer,” says Kate Hardcastle, a consumer expert and business adviser.
Susannah Streeter from financial services company Hargreaves Lansdown says there is no indication that M&S is not meeting its legal obligations, given there is a holding statement on its website.
“However, good communication and transparency will be vital to restore confidence in the company and its systems,” she says.
“There is a risk emerging for the company in terms of reputational damage, the longer the crisis continues.”