M&S warns of £300M dent in profits from cyberattack

Marks & Spencer says the disruption related to its ongoing cyberattack is likely to knock around £300 million off its operating profits for the next financial year.

The beleaguered high street retailer made the admission in its fiscal 2025 profit and loss accounts for the year ended March 29, published on Wednesday, following reports that it could be gearing up to make a maximum claim on its cyber insurance policy to the tune of £100 million.

The £300 million figure will be reduced through cost mitigations, insurance, and trading actions, M&S said, and it's expected that the total costs related to the attack itself and technical recovery will be communicated at a later date as an adjustment item.

CEO Stuart Machin said in the results release: "Over the last few weeks, we have been managing a highly sophisticated and targeted cyberattack, which has led to a limited period of disruption. We have tackled this head-on with incredible spirit, teamwork, and a deep sense of responsibility as we prioritised serving our customers. It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business. There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on."

The retailer said it wanted to make the most of the crisis "the opportunity" provided by the attack to accelerate a technical transformation, without detailing exactly what that transformation entailed.

After briefly managing to keep online and app sales running post-breach, these were eventually taken offline along with other systems, and the company said online sales and trading profit was "heavily impacted" as a result. Online sales in its fashion, home, and beauty divisions remain unavailable and are not expected to return until several months after the hack, M&S revealed. After posting its results this morning, M&S's share price was down 3 percent at the time of writing, and about 12 percent down since the start of the attack, representing a more than £1 billion loss to its market valuation.

M&S disclosed the attack on April 22, and responsibility was soon ascribed to the English-speaking group known as Scattered Spider, who reportedly used DragonForce ransomware to infect the retailer's systems. DragonForce said it was also involved in the attacks on Co-op and Harrods, but none of the companies have yet appeared on its leak site, which is unexpected for intrusions that took place nearly a month ago.

M&S confirmed last week that those responsible stole customer data including names, dates of birth, telephone numbers, home addresses, household information, email addresses, and online order histories.