British retail giant Marks & Spencer (M&S) is grappling with the aftermath of a significant cyberattack that has resulted in an estimated £300 million ($402 million) reduction in operating profits for the fiscal year ending March 2026. The attack, which began over the Easter weekend, has severely disrupted M&S’s online operations, particularly affecting sales in clothing, home, and beauty products. The company anticipates that these disruptions will persist into July as efforts to restore systems continue.
The breach has been linked to the ransomware group Scattered Spider, known for targeting major corporations through sophisticated social engineering tactics. Investigations by the UK’s National Crime Agency and the FBI are ongoing. M&S has confirmed that personal customer data, including names, email addresses, and birth dates, were compromised via a third-party contractor.
In response to the attack, M&S has implemented manual processes in stores, leading to increased operational costs and reduced product availability. The company has not disclosed whether a ransom was paid and is focusing on system recovery and strengthening cybersecurity measures. Despite the setback, M&S reported a 22% rise in pre-tax adjusted profits to £875.5 million and a 6.1% increase in sales to nearly £14 billion for the previous year.
The incident has also impacted M&S’s market value, with shares dropping 11% since the breach, erasing over £1 billion in market capitalization. The company aims to mitigate some financial losses through insurance and cost controls but acknowledges the potential long-term effects on growth plans and executive compensation. M&S is accelerating its technology transformation strategy, with plans to complete system upgrades within six months.
This cyberattack underscores the growing threat of ransomware to the retail sector and highlights the importance of robust cybersecurity measures and third-party risk management.
