British retailer Marks & Spencer announced Wednesday that a recent cyberattack, which caused empty food shelves and halted online sales, is expected to cut nearly one-third of its annual profits.
The company said the attack last month would reduce operating profit by around £300 million ($403 million) this year. This accounts for 30.5% of the £984.5 million annual operating profit reported before adjusting items as of March 29, 2025—a figure that had otherwise grown 17% year-on-year.
M&S added that the financial hit would be partially offset by cost management, insurance, and other trading measures. Costs related to the incident will be disclosed separately as an adjusting item.
Ongoing Disruptions and Stock Market Impact
The cyberattack, which occurred over the Easter holiday, has wiped over £1 billion from M&S’ market value and continues to disrupt online retail operations, with issues expected to last into July.
CEO Stuart Machin described the attack as a “highly sophisticated and targeted” incident that led to a “limited period of disruption,” but also presented an opportunity to accelerate the company’s technology transformation plans.
Machin revealed that M&S would condense its two-year tech transformation plan into six months to recover and improve resilience following the attack.
The incident also sent shockwaves across the retail sector, with other companies like the Co-op and Harrods recently experiencing cyberattacks.
Machin declined to comment on whether a ransom was paid and attributed the attack to “human error” without further elaboration.
“We will now draw a line under this and move on to business as usual,” he stated.
Market Response and Analyst View
Lucy Rumbold, equity analyst at Quilter Cheviot, said the attack had “overshadowed” an otherwise solid annual performance for M&S, although much of the impact had been priced in.
M&S shares rose 0.68% by late morning in London.
Rumbold cautioned that while there is now a clearer understanding of the profit damage, uncertainties about the attack’s duration remain, leaving the company vulnerable to further risk.
Businesses continue to highlight cyber threats as a key operational risk. JD Sports also recently warned of a “significant cyber-attack” that stalled store sales as a plausible downside scenario.
What The Author Thinks
The M&S cyberattack shows how vulnerable even established retailers are to digital threats that can swiftly erode profits and disrupt customer trust. As commerce becomes increasingly online and interconnected, investing in cybersecurity isn’t optional—it’s essential. Companies must treat digital defenses with the same urgency as product innovation or face potentially devastating consequences. This incident should serve as a wake-up call across the sector to strengthen protections and prepare contingency plans for future attacks.
Featured image credit: Wikipedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.