British retailer Marks & Spencer announced on May 21, 2025, that a highly sophisticated and targeted cyberattack would cost the company approximately £300 million ($403 million) in lost operating profits for the current fiscal year.
The cyber incident, first detected around Easter weekend, has severely disrupted M&S’s online services, forcing the suspension of online orders, contactless payments, and click-and-collect operations.
M&S operates 565 stores across the UK and employs about 64,000 people.
The attack has impacted multiple business segments, with the fashion, home, and beauty divisions experiencing significant losses due to halted online sales and trading profits.
Food sales were also affected by reduced availability on shelves, increased waste, and higher logistics costs as the company reverted to manual processes.
While in-store sales have remained relatively robust, the disruption to online operations is expected to continue through June and into July as M&S gradually restores its systems and ramps up operations.
Chief Executive Stuart Machin attributed the breach to “human error” that allowed hackers to gain access via a third party, pointing out that the company was not underinvested in cybersecurity but was simply unlucky on that day.
The cyberattack erased over £1 billion from M&S’s market capitalisation and has forced the retailer to accelerate its technology improvement plans, condensing a previously planned two-year upgrade into six months to prevent future incidents.
M&S has reported that some customer personal data, including names, dates of birth, addresses, and phone numbers, was stolen, but no payment card details or passwords were compromised.
The company is working with law enforcement and relevant authorities to investigate the attack.
Despite the setback, M&S remains optimistic about mitigating the overall financial impact through cost management, insurance, and other trading measures.
The cyberattack represents roughly a 30 per cent hit to the company’s annual operating profit, which stood at £985 million before adjusting items for the year ending March 2025.
Machin stated that the incident, while challenging, will not alter the company’s long-term strategy and may accelerate its transformation efforts.
