Sergey Nivens - stock.adobe.com

News

M&S profits tumble after cyber attack

M&S profits fall by over 90% in the wake of the spring 2025 cyber attack that crippled the retailer’s systems for weeks

Alex Scroxton
By
Published: 05 Nov 2025 16:12

Marks & Spencer’s (M&S’) statutory pre-tax profits were virtually wiped out following the April 2025 cyber attack on its systems, plunging from £391.9m last year to just £3.4m in the six months to 27 September.

Total sales at M&S dropped in the first half as the retailer was forced to close its website, and its food halls struggled to keep stock topped up – M&S booked a significant increase in food markdown and wastage caused by manual stock allocation.

In its half-yearly financial report, the high street stalwart revealed it incurred costs of £101.6m from the incident, with £82.7m of that total arising from incident response and recovery, and £18.9m arising from third-party costs. The impact was partly mitigated by £100m of cyber insurance payments.

“The first half of this year was an extraordinary moment in time for M&S. However, the underlying strength of our business and robust financial foundations gave us the resilience to face into the challenge and deal with it. We are now getting back on track,” said chief executive Stuart Machin.

“Today, we are regaining momentum … We are determined to help our customers have a fantastic Christmas with exceptional service and what I truly believe is the best Christmas food and fashion in the market. Thank you to our colleagues for their hard work, our suppliers for their support and our customers for their loyalty. We are grateful to everyone who shops with us,” he said.

Joseph Rooke, director of risk insights at Recorded Future’s Insikt Group research unit, added: “The challenges faced by M&S reflect the pressure many businesses are under as cyber threats grow in scale and complexity. The incident also brights to light the significant financial fraud risks that can arise from a successful cyber attack.

“M&S is not the first, and almost certainly won't be the last, to make the news after a serious cyber attack. This is a call for organisations of every sector, big and small, to double down on improving defences where possible. Organisations that have built intelligence-led cyber security programmes will be the best placed to anticipate and prevent attacks before they happen.”

Cyber insurance not necessarily a cure-all

Simon Phillips, engineering chief technology officer (CTO) at security platform provider CybaVerse said M&S had been able to weather a storm that would have sent many smaller companies to the bottom.

However, he cautioned against over-reliance on cyber insurance. “It’s evidenced that having cyber insurance in place isn’t enough to cover all attack losses. M&S only recovered a very small proportion of its losses and other organisations should be aware of this,” he said. “As a result, when it comes to preparing for ransomware, the most important step is defence.”

The M&S cyber attack unfolded at the end of April alongside a parallel incident at Co-op Group – which has also sustained significant losses, although operationally it was less badly affected – and Harrods.

Four people – two 19-year-old men, a 17-year-old boy and a 20-year-old woman – were taken into custody by police in July in relation to these attacks.

All the attacks, and others including the ongoing incident at Jaguar Land Rover (JLR), have tentatively been linked to the same loosely affiliated hacking collective – now referred to by most security authorities as Scattered Lapsus$ Hunters.

Read more on this topic

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 4 June: A threat group is using voice phishing to trick targeted organisations into sharing sensitive credentials, according to Google.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signalling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 26 June: US authorities have unsealed charges against 25-year-old hacker Kai West, aka IntelBroker, accusing him of being behind multiple cyber attacks.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Qantas begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider’s attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
  • 16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
  • 24 July: Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant.
  • 30 July: CISA, the FBI, NCSC and others have clubbed together to update previous guidance on Scattered Spider’s playbook, warning of new social engineering tactics and exploitation of legitimate tools, among other things.
  • 7 August: Air France - KLM alerts authorities of a data breach in which threat actors were able to get away with names, email addresses, phone numbers, and more. (Dark Reading)
  • 7 August: ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas. (Dark Reading)
  • 11 August: Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering against Salesforce users.
  • 12 August: ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters and Scattered Spider cyber gangs.
  • 18 August: A campaign of voice-based social engineering attacks targeting users of Salesforce’s services appears to have struck HR platform Workday.
  • 19 August: Millions of people are supposedly affected by a breach at Allianz Insurance arising via attacks on Salesforce (Dark Reading).
  • 2 September: Jaguar Land Rover reports a cyber attack has ‘severely disrupted’ its vehicle production and retail operations, recalling similar attacks on other prominent British brands this year.
  • 5 September: The recent cyber attack on Jaguar Land Rover is keeping workers out of plants as possible attack group identity becomes public.
  • 9 September: Qantas executives are to take a pay cut in the wake of the recent cyber attack on the airline’s systems (Dark Reading).
  • 10 September: Carmaker Jaguar Land Rover revealed that data was stolen in the cyber attack that began on 31 August, as its production line continues to be affected.
  • 12 September: M&S chief digital and technology officer Rachel Higham steps back from her role in the wake of the April 2025 cyber attack on the retailer’s systems.
  • 15 September: Kering, the parent group of fashion houses including Balenciaga and Gucci, becomes the latest organisation to allegedly fall victim to ShinyHunters.
  • 16 September: Jaguar Land Rover says that vehicle production will remain suspended in the wake of a cyber attack, while the hackers allegedly responsible claim they are retiring from a life of crime.
  • 17 September: Scattered Spider’s alliances with ransomware-as-a-service gangs act as a force multiplier for the scope, and number, of its cyber attacks, according to NCC Group analysts.
  • 18 September: Two men have appeared in court in London in connection with the September 2024 cyber attack that disrupted online services at Transport for London.
  • 19 September: Government officials have met with the Society of Motor Manufacturers and Traders to discuss the challenges they are facing amid disrupted production at Jaguar Land Rover.
  • 22 September: Another arrest of a teenage hacker associated with the Scattered Spider gang has been made, this time in relation to two 2023 cyber attacks on Las Vegas casinos and resorts.
  • 23 September: Jaguar Land Rover is extending its production shutdown caused by the 31 August cyber attack into next month, as government ministers drop by and supply chain workers lose wages.
  • 25 September: Co-op reveals £206m costs from April cyber attack, with revenues hit, member data stolen and shelves emptied, exposing major retail supply chain vulnerabilities.
  • 29 September: Jaguar Land Rover is to resume car production after a £1.5bn government loan guarantee amid its cyber attack fallout. Debate is growing over the bailout and insurance.
  • 30 September: The government’s cross-bench Business and Trade Committee has written to Tata Consultancy Services seeking answers over possible links to cyber attacks on Jaguar Land Rover, Marks and Spencer, and Co-op.
  • 22 October: The UK’s Cyber Monitoring Centre calculates the overall cost of the Jaguar Land Rover cyber attack will be almost two billion pounds.

Read more on Data breach incident management and recovery