Cyber Attack to Cost UK Retailer $400 Million in Operating Profit, Marks and Spencers Says

UK retail Marks & Spencer says that the recent sophisticated cyberattack will cost it $400 million in operating profit. According to Reuters, disruptions due to the Marks and Spencer cyberattack on the company’s online service could last till July as the company ramps up operations and restarts its systems.

A Major Setback

The data breach on the British retailer has forced M&S to suspend its automated stock system. The company reverted to pen and paper in order to move drinks, fresh food and clothing. This change frustrated customers, leading to empty food shelves.

Marks and Spencer said online sales and profits in its home, clothing, and beauty division were heavily affected by the suspension of online shopping. However, in-store sales remained resilient.

A month after the M&S cyber incident, the company’s huge online clothing service remains offline. The attack has also wiped off over a billion pounds off the company’s stock market value.

The company said the attack happened at a time when the company’s turnaround plan was beginning to yield results. M&S has been executing the plan since 2022.

“But in business life, just as you think you’re onto a good streak, events have a way of putting you on your backside,” M&S Chairman Archie Norman said.

The company hopes to reduce its operating profit loss by 50% through cost control and insurance. M&S currently has 65,000 employees working across its 565 stores.

Restoring Operations

M&S says it expects to resume online sales in the coming weeks. Speaking to reporters, CEO Stuart Machin said the company expects to have at least 85% of its home and clothing lines to be available online in a few weeks.

The company admitted that its food line has been experiencing scarcity, high wastage, and logistic costs. Last week, food sales had started to recover. This recovery has reflected on M&S stocks as share prices surged 2%, cutting the losses that the company has suffered since the attack to 9%.

“The cyberattack, whilst frustrating, is hopefully a one-off event and today’s update has allowed the market to draw a line under the potential costs,” Redwheel fund manager Ian Lance said.

Redwheel is one of the largest M&S investors. In the financial year ending March 29, M&S reported operating profit amounting to 984.5 million pounds. The UK retailer reported 984.5 million pounds in operating profit in the year ended March 29.

Prior to the attack, the financial performance of M&S was strong. In the 2024/25 financial year, M&S’ operating performance surpassed analyst expectations. According to Lance, this performance was a reflection of the retailer’s intrinsic value.

The retailer’s adjusted pretax profit rose by 22.2% in 2024/25. This is the highest increase over the last 15 years. Overall, the retailer reported a 6.1% increase in sales revenue to 13.6 billion pounds, with sales from clothing, beauty, and home increasing by 3.5%.

Internal Improvements

M&S said it had not overlooked cyber security matters internally. However, the company plans to use the retail industry hacking to accelerate tech improvements. Machin did not disclose whether the retailer had paid a ransom.

However, he said the period between the hacking incident and detection of the attack was minimal. The company reported that hackers used social engineering to trick staff at a third-party contractor.

“We didn’t leave the door open. This wasn’t anything to do with underinvestment,” Machin said.

In recent years, UK enterprises and institutions have suffered regular ransomware and cyber attacks that have resulted in major disruptions. Last week, M&S said that hackers stole some personal data during the incident. UK’s Harrods and Co-op companies have also suffered cyber attacks. Following the attacks, Google said the hackers were targeting retailers across the globe and US companies.