M&S Faces £300m Profit Loss After Devastating Cyber Attack – Could It Have Been Worse?

Marks & Spencer (M&S) narrowly avoided catastrophic damage from a recent cyberattack that its chairman, Archie Norman, described as “traumatic.” The retail giant is now bracing for a staggering £300 million hit to its annual profits following the breach, which exposed sensitive customer data, including names and addresses.

A Close Call for M&S

Norman revealed to MPs that the timing of the attack—over the Easter holiday—was both fortunate and alarming. Had it occurred in 2017, when he first joined as chairman, the consequences could have been far worse. At the time, M&S was struggling with outdated systems and declining performance.

“If this had happened then, I think we would have been kippered,” Norman told the Business and Trade Select Committee. The hackers, believed to be linked to the notorious Scattered Spider and Dragon Force cybercrime groups, aimed to disrupt M&S’s operations, potentially for ransom or extortion.

The Aftermath of the Attack

The breach forced M&S to temporarily suspend online orders on April 25, causing significant disruptions. While customer-facing operations are expected to normalize by the end of the month, internal recovery could take months.

Norman described the incident as an “out-of-body experience” and emphasized the psychological toll on the company. The attack came just as M&S was enjoying a successful turnaround, shedding its outdated image and posting stronger profits.

Cybercriminals Boasted About the Hack

The attackers, whom Norman suggested may be “former computer gamers,” reportedly bragged to media outlets about their exploit. “It’s an unusual experience to be brushing your teeth in the morning when someone on the BBC shares a message from the people attacking your business,” he remarked.

The National Crime Agency (NCA) is investigating the breach, but Norman stressed the need for better reporting of cyber incidents. He argued that large companies should be required to disclose attacks to the National Cyber Security Centre (NCSC) to improve collective defenses.

A Growing Threat to UK Businesses

M&S is not alone—Harrods and the Co-op also reported cyberattacks around the same time. Norman warned that many major breaches go unreported, leaving other businesses vulnerable. “There’s a big deficit in knowledge that could help companies protect themselves,” he said.

For more insights on cybersecurity threats and how businesses can defend themselves, visit TechRadar’s guide on ransomware protection or BBC’s coverage on recent cyberattacks.

Market Reaction

Investors reacted cautiously, with M&S shares dropping 1% (3.3p) to 335.9p following the news. As cyber threats grow, businesses must prioritize digital security—or risk becoming the next victim.

This incident serves as a stark reminder of the dangers posed by cybercriminals. For further reading on corporate cybersecurity strategies, check out The Guardian’s business section.