Customers at H&M stores across the UK have been unable to purchase products for several hours today, following an apparent failure in the company’s payments system. A worker at one store in London told that their location had been unable sell items for around two hours.
It is not currently known if online customers have been affected by the issue, and the cause of the outage has not yet been revealed. A spokesperson for H&M told : ‘We are aware of the problem and are looking into resolving it as quickly as possible.
‘We apologise to our customers for the inconvenience.’ The incident comes after British retail institutions like M&S and Co-op were hit with severe cyber attacks that crippled them. In late April, Co-op was forced to shut down parts of its IT systems after hackers tried to illegally access them, and that it only had a ‘small impact’ on its operations.
The firm later admitted that despite this, hackers ‘accessed data relating to a significant number of our current and past members. Meanwhile, M&S stores up and down the country were left with empty shelves after it faced an Easter weekend cyber attack. The company admitted that personal information of customers, which could include telephone numbers, home addresses and dates of birth, were taken. M&S said that the data thieves did not take usable payment or card information from their servers.
Luxury jewelry firm Cartier and outdoor retailer The North Face then became the latest retailers to report customer data being stolen in cyber attacks . Watchmaker Cartier told customers in an email that ‘an unauthorised party gained temporary access’ to its system and ‘obtained limited client information’. The firm – whose items have been worn by Taylor Swift , Angelina Jolie and Michelle Obama – revealed names, email addresses and countries had been obtained.
But Cartier, which is owned by Swiss-based Richemont, said the ‘affected information did not include any passwords, credit card details or other banking information’. The company said it further enhanced the protection of its systems and data, told the relevant authorities and was working with ‘leading external cyber security experts’. Separately, fashion brand The North Face, owned by VF Corporation, emailed some of its customers to tell them it discovered a ‘small scale’ attack in April this year.
The brand said names and email addresses were taken, but financial details were not – with the company revealing hackers used ‘credential stuffing’, reported BBC News. This involves trying usernames and passwords stolen from another data breach in the hope customers have reused the credentials across multiple accounts. North Face said attackers may have got hold of some customers’ postal addresses and purchase histories. A North Face spokeswoman told : ‘The cyber incident you are referring to is a small-scale cyber incident occurred on April 23, 2025, affecting our The North Face e-commerce website in the US only.
‘The incident was contained very quickly on the same day it occurred. There was no impact on our systems and/or our consumer data in Europe whatsoever, including in the UK.’ Cyber security expert Julius Cerniauskas, chief executive of web intelligence firm Oxylabs, told that the latest breaches ‘send a clear message that no brand is safe from cybercrime, not even the biggest names with the deepest pockets’. He added: ‘Attackers are becoming more opportunistic and sophisticated, targeting brands that hold valuable customer data, not just credit card numbers.
‘In the case of The North Face, credential stuffing shows how recycled passwords from past breaches continue to fuel new attacks. ‘Cartier’s incident demonstrates how even well-defended systems can be compromised. Whether it’s luxury retail or everyday consumer brands, hackers are finding weak spots and exploiting them fast.’ Mr Cerniauskas urged retailers to ‘respond with more than apologies’, encouraging them to enforce multi-factor authentication, tighten access controls and constantly monitor for threats.
Speaking further about ‘credential stuffing’, Joe Jones, chief executive and founder of Pistachio, a cybersecurity attack simulation company, said consumers reusing passwords across multiple sites were a ‘sitting duck’ for breaches of this type. He told : ‘Credential stuffing, the method used here, only works because people reuse the same login details. ‘If you’ve been caught in this breach, change your passwords immediately – especially if they match accounts like email or banking. ‘Enable app-based two-factor authentication, not SMS, and remain hyper alert to scam emails, texts or even fake calls.’