Marks & Spencer Faces £300 Million Loss After Cyberattack
The UK-based retailer Marks & Spencer Group Plc has estimated a significant £300 million (US$403 million) reduction in operating profit for the current fiscal year following a cyberattack that occurred in April 2025. The company plans to mitigate the financial impact through cost-cutting measures and potential insurance recoveries.
The cyberattack, first disclosed on April 22, led to the suspension of contactless payment services and the shutdown of certain IT systems. This disruption resulted in stock shortages across stores and affected both clothing and food sales. Online operations, which generate over £3 million in daily sales, remain suspended with expected continued disruption into July.
Food sales have been particularly affected due to lower product availability, though the company noted that availability is gradually improving. The first quarter’s profit was impacted by additional waste and increased logistics costs stemming from the need to switch to manual processing systems. M&S later confirmed that some customer data had been compromised during the breach.
The incident has had a noticeable impact on M&S shares, which have declined 10% since the cyber incident. However, they remain 34% higher compared to the same period last year. The UK retail sector has seen a significant increase in cyberattacks recently, with other major retailers like Co-op and Harrods also being targeted.
The broader context of cybercrime in the UK shows a concerning trend. The British Library faced a ransomware attack in October 2023, resulting in the theft of approximately 600GB of data and estimated recovery costs of £6 to 7 million. The UK’s National Cyber Security Centre reported a doubling of ‘nationally significant’ cyber incidents, with 89 such events recorded in 2024, including 12 critical incidents. Research indicates that cyber incidents have cost UK businesses approximately £44 billion in lost revenue over the past five years.
While M&S works to recover from the attack, the incident highlights the growing challenge of cyber security in the retail sector. The company will likely rely on cost-cutting measures and insurance claims to offset the financial impact, with expected insurance claims potentially exceeding £100 million.
