M&S warns of £300M dent in profits from cyberattack – Source: go.theregister.com

Marks & Spencer says the disruption related to its ongoing cyberattack is likely to knock around £300 million ($402 million) off its operating profits for the next financial year (2025/26).

The beleaguered high street retailer made the admission in its fiscal 2025 profit and loss accounts for the year ended March 29, published on Wednesday, following reports that it could be gearing up to make a maximum claim on its cyber insurance policy to the tune of £100 million ($134 million).

The £300 million figure will be reduced through cost mitigations, insurance, and trading actions, M&S said, and it’s expected that the total costs related to the attack itself and technical recovery will be communicated at a later date as an adjustment item.

CEO Stuart Machin said in the results release: “Over the last few weeks, we have been managing a highly sophisticated and targeted cyberattack, which has led to a limited period of disruption. We have tackled this head-on with incredible spirit, teamwork, and a deep sense of responsibility as we prioritised serving our customers.

“It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business. There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.”

The retailer said it wanted to make the most of the crisis “the opportunity” provided by the attack to accelerate a technical transformation, without detailing exactly what that transformation entailed.

“We are focused on recovery, restoring our systems, operations, and customer proposition over the rest of the first half, with the aim of exiting this period a much stronger business,” it added.

Various divisions suffered an overall decline in operating profits. M&S said that early on into the attack, which has been ongoing for about a month now, that some franchise stores, such as those inside train stations, were experiencing shortages of certain foods, such as “meal deal” sandwiches.

This reduced availability has affected food sales, and M&S also incurred additional waste and logistics costs owing to the shift toward manual processes.

After briefly managing to keep online and app sales running post-breach, these were eventually taken offline along with other systems, and the company said online sales and trading profit was “heavily impacted” as a result.

Online sales in its fashion, home, and beauty divisions remain unavailable and are not expected to return until July, M&S revealed today.

“Overall, our strategy remains the same and there is no change to our longer-term plans to reshape M&S for growth. We are confident that we will enter the second half with a strong customer proposition, returning to the performance we were delivering immediately prior to the incident and throughout 2024/25, which is outlined in the following sections.”

After posting its results this morning, M&S’s share price was down 3 percent at the time of writing, and about 12 percent down since the start of the attack, representing a more than £1 billion ($1.3 billion) loss to its market valuation.

However, there are green shoots for the retailer, whose pre-tax and pre-adjusted profits were up 22.2 percent on the previous year at £875.5 million ($1.17 billion), which is the company’s best performance in more than 15 years.

• Cyber fiends battering UK retailers now turn to US stores
• Here’s what we know about the DragonForce ransomware that hit Marks & Spencer
• Marks & Spencer admits cybercrooks made off with customer info
• British govt agents step in as Harrods becomes third mega retailer under cyberattack

Overall, sales also grew 6.1 percent to £13.9 billion ($18.6 billion), and M&S reaffirmed its commitment to reduce its costs by £500 million ($670 million) in time for the 2027/28 financial year.

“Over the last 140 years, M&S has overcome many challenges – testament to the longevity of this brand,” said Machin. “This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues, and shareholders.

“I would like to thank all of our colleagues and supplier partners for their hard work and dedication and, importantly thank our customers. They have been unwavering in their support, and we are incredibly grateful for their patience and trust in M&S.”

M&S disclosed the attack on April 22, and responsibility was soon ascribed to the English-speaking group known as Scattered Spider, who reportedly used DragonForce ransomware to infect the retailer’s systems.

Nothing is officially confirmed on this front, although DragonForce took credit for the attack when speaking to the BBC.

DragonForce said it was also involved in the attacks on Co-op and Harrods, but none of the companies have yet appeared on its leak site, which is unexpected for intrusions that took place nearly a month ago.

M&S confirmed last week that those responsible stole customer data including names, dates of birth, telephone numbers, home addresses, household information, email addresses, and online order histories.

It told the London Stock Exchange that the data did not include full payment card numbers or account credentials. ®