M&S income tumble after cyber assault
Marks & Spencer’s (M&S’) statutory pre-tax income had been just about worn out following the April 2025 cyber assault on its programs, plunging from £391.9m final yr to simply £3.4m within the six months to 27 September.
Whole gross sales at M&S dropped within the first half because the retailer was compelled to shut its web site, and its meals halls struggled to maintain inventory topped up – M&S booked a big improve in meals markdown and wastage brought on by guide inventory allocation.
In its half-yearly monetary report, the excessive road stalwart revealed it incurred prices of £101.6m from the incident, with £82.7m of that complete arising from incident response and restoration, and £18.9m arising from third-party prices. The influence was partly mitigated by £100m of cyber insurance coverage funds.
“The primary half of this yr was a unprecedented second in time for M&S. Nevertheless, the underlying power of our enterprise and strong monetary foundations gave us the resilience to face into the problem and cope with it. We are actually getting again on observe,” mentioned chief govt Stuart Machin.
“Right this moment, we’re regaining momentum … We’re decided to assist our prospects have a unbelievable Christmas with distinctive service and what I really consider is the most effective Christmas meals and style available in the market. Thanks to our colleagues for his or her onerous work, our suppliers for his or her help and our prospects for his or her loyalty. We’re grateful to everybody who outlets with us,” he mentioned.
Joseph Rooke, director of danger insights at Recorded Future’s Insikt Group analysis unit, added: “The challenges confronted by M&S replicate the strain many companies are underneath as cyber threats develop in scale and complexity. The incident additionally brights to gentle the numerous monetary fraud dangers that may come up from a profitable cyber assault.
“M&S just isn’t the primary, and virtually actually will not be the final, to make the information after a critical cyber assault. This can be a name for organisations of each sector, huge and small, to double down on enhancing defences the place attainable. Organisations which have constructed intelligence-led cyber safety programmes would be the greatest positioned to anticipate and forestall assaults earlier than they occur.”
Cyber insurance coverage not essentially a cure-all
Simon Phillips, engineering chief know-how officer (CTO) at safety platform supplier CybaVerse mentioned M&S had been in a position to climate a storm that might have despatched many smaller corporations to the underside.
Nevertheless, he cautioned in opposition to over-reliance on cyber insurance coverage. “It’s evidenced that having cyber insurance coverage in place isn’t sufficient to cowl all assault losses. M&S solely recovered a really small proportion of its losses and different organisations ought to concentrate on this,” he mentioned. “Because of this, on the subject of making ready for ransomware, an important step is defence.”
The M&S cyber assault unfolded on the finish of April alongside a parallel incident at Co-op Group – which has additionally sustained important losses, though operationally it was much less badly affected – and Harrods.
4 folks – two 19-year-old males, a 17-year-old boy and a 20-year-old girl – had been taken into custody by police in July in relation to those assaults.
All of the assaults, and others together with the continued incident at Jaguar Land Rover (JLR), have tentatively been linked to the identical loosely affiliated hacking collective – now referred to by most safety authorities as Scattered Lapsus$ Hunters.
