Marks & Spencer (M&S), one of Britain’s top retailers, announced on Wednesday that a “highly sophisticated and targeted” cyberattack will cost the company around £300 million
(approximately $403 million) in lost operating profit. The retailer expects ongoing disruption to its online services through July.
The attack forced M&S to shut down its automated stock systems, reverting to manual operations using pen and paper. This severely impacted supply chains, leading to empty food shelves and frustrated shoppers.
While the company's physical stores have stayed resilient, its online clothing service remains offline nearly a month later. A full return to normal operations isn't expected until July. The incident has also wiped more than £1 billion off M&S’s market value.
A setback amid strong recovery
Chairman Archie Norman noted that M&S had been showing promising growth after years of transformation:
“Just as you think you’re on a winning streak, something comes along to knock you back.”
M&S reported £984.5 million in operating profit for the year ending March 29. The cyberattack is expected to impact earnings through March 2026, though the company hopes to recover some of the losses through insurance and cost-cutting measures.
Online sales in the clothing, home, and beauty divisions were "heavily impacted," though in-store sales remained stable. CEO Stuart Machin said 85% of clothing and home products should be back online in the coming weeks.
In the food segment, M&S experienced higher waste and logistics costs due to stock management issues, though sales have since improved.
Despite the disruption, M&S shares fell just 3% initially and later rebounded to a 1% gain.
Response and future plans
The company will now fast-track its technology overhaul, compressing a two-year digital transformation plan into just six months.
“We’re focused on restoring systems and operations and emerging from this crisis stronger,” M&S said.
M&S confirmed that some customer data was compromised but refused to say whether a ransom was paid. Machin attributed the breach to “human error” exploited through “social engineering” but emphasized this was not due to underinvestment in cybersecurity.
Wider industry impact
The attack on M&S is part of a broader trend of cyber threats targeting UK institutions, with similar disruptions recently hitting the British Library, Co-op, Harrods, and London Underground. Globally, companies like Google have reported escalating threats from cybercriminals.
Retailers such as Next, John Lewis, Tesco, and Sainsbury’s may benefit from M&S's temporary online setbacks.
M&S had recently seen its strongest financial performance in 15 years, with a 22.2% increase in adjusted pretax profit and a 6.1% rise in total sales, including an 8.7% boost in food and 3.5% in clothing and home. Photo by GianniM, Wikimedia commons.