Marks & Spencer’s (M&S’) statutory pre-tax profits were virtually wiped out following the April 2025 cyber attack on its systems, plunging from £391.9m last year to just £3.4m in the six months to 27 September.
Total sales at M&S dropped in the first half as the retailer was forced to close its website, and its food halls struggled to keep stock topped up – M&S booked a significant increase in food markdown and wastage caused by manual stock allocation.
In its half-yearly financial report, the high street stalwart revealed it incurred costs of £101.6m from the incident, with £82.7m of that total arising from incident response and recovery, and £18.9m arising from third-party costs. The impact was partly mitigated by £100m of cyber insurance payments.
“The first half of this year was an extraordinary moment in time for M&S. However, the underlying strength of our business and robust financial foundations gave us the resilience to face into the challenge and deal with it. We are now getting back on track,” said chief executive Stuart Machin.
“Today, we are regaining momentum … We are determined to help our customers have a fantastic Christmas with exceptional service and what I truly believe is the best Christmas food and fashion in the market. Thank you to our colleagues for their hard work, our suppliers for their support and our customers for their loyalty. We are grateful to everyone who shops with us,” he said.
Joseph Rooke, director of risk insights at Recorded Future’s Insikt Group research unit, added: “The challenges faced by M&S reflect the pressure many businesses are under as cyber threats grow in scale and complexity. The incident also brights to light the significant financial fraud risks that can arise from a successful cyber attack.
“M&S is not the first, and almost certainly won’t be the last, to make the news after a serious cyber attack. This is a call for organisations of every sector, big and small, to double down on improving defences where possible. Organisations that have built intelligence-led cyber security programmes will be the best placed to anticipate and prevent attacks before they happen.”
Cyber insurance not necessarily a cure-all
Simon Phillips, engineering chief technology officer (CTO) at security platform provider CybaVerse said M&S had been able to weather a storm that would have sent many smaller companies to the bottom.
However, he cautioned against over-reliance on cyber insurance. “It’s evidenced that having cyber insurance in place isn’t enough to cover all attack losses. M&S only recovered a very small proportion of its losses and other organisations should be aware of this,” he said. “As a result, when it comes to preparing for ransomware, the most important step is defence.”
The M&S cyber attack unfolded at the end of April alongside a parallel incident at Co-op Group – which has also sustained significant losses, although operationally it was less badly affected – and Harrods.
Four people – two 19-year-old men, a 17-year-old boy and a 20-year-old woman – were taken into custody by police in July in relation to these attacks.
All the attacks, and others including the ongoing incident at Jaguar Land Rover (JLR), have tentatively been linked to the same loosely affiliated hacking collective – now referred to by most security authorities as Scattered Lapsus$ Hunters.