M&S cyber attack could cost £300 million, disruptions expected until July

Marks & Spencer (M&S) has warned investors that the recent cyberattack could lead to a substantial £300 million hit to its trading profits for the current financial year.

The retail giant anticipates that operational disruptions, particularly to its online channels, may persist throughout June and into July.

The ransomware attack, first disclosed on April 22nd, has already seen more than £1 billion wiped from M&S’s stock market value. The company’s online ordering capabilities have been severely impacted, with website sales expected to resume only partially in the coming weeks.

This prolonged outage is the primary driver of the projected profit reduction, alongside increased costs related to waste, logistics and the need to operate manual processes in its food division.

The cyberattack is widely believed to be the work of Scattered Spider, an English-speaking hacking collective, reportedly using tools from the cybercrime service DragonForce. While M&S and other recently targeted retailers like the Co-op and Harrods have confirmed that personal customer data (names and contact details) was compromised, they maintain that payment information remains secure.

Stuart Machin, M&S Chief Executive, acknowledged the severity of the situation, describing it as a “highly sophisticated cyber incident” that his team has been working “around the clock” to contain.

Despite the challenges, Machin expressed optimism for the future, stating: “This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders.” He also suggested the incident could “accelerate the pace of improvement of our technology transformation.”

The profit warning comes despite M&S announcing strong financial results for the year ending March 29th, with trading profits at a 15-year high of £875.5 million.

However, the ongoing disruption is now casting a shadow over the retailer’s outlook for the current year with the expected £300 million hit from the cyber attack much more than many analysts had expected – the equivalent of a 30% reduction in the retailer’s profits.

Say Reena Sewraz, Which? Retail Editor:

“This disruption and the impact on M&S and its customers has come at a time when the retailer was riding high. In our recent supermarkets survey, M&S topped the table for in-store shopping for the fourth year running. Shoppers told us they loved M&S for its high quality own-label and fresh items, and the wide range of products available.

“While disruption continues, customers should remain on the lookout for scammers using the data breach as an opportunity to contact them impersonating M&S. Shoppers should treat any contact out of the blue with suspicion and be especially wary of anyone who asks them to verify account details or payment information.”