Retailer’s online operations still down weeks after ‘sophisticated’ hack; CEO blames human error via third party
Marks & Spencer has warned it expects a £300m hit to annual profits following a damaging cyberattack that forced the retailer to suspend online orders and switch to manual processes across parts of its business.
The company said the attack—described as “highly sophisticated and targeted”—struck over the Easter weekend and exploited access through a third-party contractor. M&S confirmed that the breach occurred via social engineering techniques, a form of manipulation that tricks individuals into revealing confidential information. CEO Stuart Machin attributed the breach to “human error” but insisted it was not due to underinvestment in IT systems.
The financial impact, representing roughly 30.5% of the company’s £984.5m operating profit for the year ended 30 March, comes despite a 22% rise in adjusted pre-tax profit and solid sales growth across food and general merchandise. M&S reported full-year revenues up 6% to £13.9bn, with food sales climbing nearly 9% to £9bn and clothing, home and beauty growing 3.5% to £4.2bn.
While M&S says it hopes to restore 85% of its online offering “quite quickly,” it acknowledged that online disruption would likely persist into July. The attack halted all web orders and affected in-store availability, with some food shelves running bare and contactless payments temporarily impacted.
The retailer admitted that personal customer data—including names, contact details, and order histories—was stolen, though no payment or password information was compromised. The cybercriminal group known as Scattered Spider is believed to be responsible, according to BBC reports, with police confirming an active investigation.
The company said it intends to halve the £300m profit hit through insurance, cost management, and trading actions. It is also accelerating a technology overhaul initially planned over two years, now condensed into six months. The pause in operations is being used to integrate new systems more efficiently, Machin said.
“This incident is a bump in the road,” Machin told investors. “If anything, it allows us to accelerate the pace of change. We will come out of this in better shape and continue our plan to reshape M&S.”
M&S confirmed that no job cuts or reductions in store refurbishment plans were planned. The company still intends to grow its store footprint to 600 locations by 2028, up from 565 today.
The attack has already wiped over £1bn from M&S’s market capitalisation. Though shares rose slightly on Wednesday following the earnings release, analysts cautioned that the company remains vulnerable until full online operations resume.
Retail analyst Lucy Rumbold of Quilter Cheviot said the incident had “overshadowed otherwise solid results” and highlighted the growing threat of cyberattacks to the retail sector. “It’s going to be a long slog to rebuild confidence—but M&S is in the financial health to do it,” she said.
The incident has also affected suppliers. Sandwich supplier Greencore reported reverting to pen-and-paper orders and increasing deliveries by 20% to maintain food availability. Beauty brand Nails Inc and M&S’s online grocery partner Ocado have also experienced knock-on disruptions.
The attack follows similar incidents at the Co-op and Harrods and underscores growing concern in the industry over ransomware and third-party IT vulnerabilities. The National Cyber Security Centre has warned of a rising trend in hackers impersonating IT help desks to gain system access.
Stuart Machin confirmed the company had rehearsed a cyberattack scenario last year, which helped it respond swiftly. “We were ready. We knew who to call, and we knew how to act,” he said.
M&S has not confirmed whether a ransom was paid. Cybersecurity experts note that if compromised data is never released publicly, it often suggests a payment was made—though companies rarely disclose such transactions.
M&S continues to urge customers to remain cautious of scam communications and says it will prompt users to reset passwords as a precaution. Meanwhile, it has temporarily suspended online job applications and continues to restore full services.
Online sales account for about a third of M&S’s clothing and home business, generating an average of £3.8m daily. Retail analysts warn that, amid warmer weather and strong seasonal demand, some of that spending may have shifted to competitors.
Despite the disruption, Machin remains optimistic: “There is no change to our strategy. This is a moment in time, and we’re using it to emerge stronger.”
