Britain’s retail giant Marks & Spencer revealed this week that the devastating cyber attack which crippled its operations over Easter weekend will cost the company approximately £300 million ($403 million) in lost operating profit this year. The attack, attributed to “human error,” continues to disrupt business operations nearly a month later.
Chief Executive Stuart Machin confirmed that hackers gained access to M&S systems through a third-party IT supplier after what he described as an unfortunate lapse. “We didn’t leave the door open, this had nothing to do with under-investment.
Everyone is vulnerable. For us, we were unlucky on this particular day through some human error,” Machin stated.
The breach has severely impacted the retailer’s online capabilities, with digital sales still suspended across fashion, home, and beauty divisions. Financial analysts estimate the company is losing approximately £3.5 million daily in online sales alone.
£300M Impact, Data Breach Confirmed, Ransom Questions Linger
Food sections have also faced challenges with product availability, though M&S reports the situation is gradually improving as systems come back online. The total financial impact is expected to reach £300 million by the end of the financial year, making this one of the costliest cyber incidents in UK retail history.
Adding to customer concerns, M&S confirmed that some personal data was compromised during the attack, including names, email addresses, postal addresses, and dates of birth. The company has assured customers that payment details and passwords remained secure.
Questions persist about whether M&S paid a ransom to the attackers. When pressed on this point, Machin deflected, stating, “I cannot comment on whether a ransom was paid.”
This non-answer has fueled speculation, though cybersecurity experts note that companies often remain silent on ransom payments due to potential legal and security implications.
Cybersecurity insiders believe the attack bears hallmarks of the notorious Scattered Spider hacking group, known for targeting major corporations through sophisticated social engineering tactics.
Third-Party Vulnerabilities Expose Retailers to Cyber Threats
Reports suggest the initial breach may have involved compromised credentials from Tata Consulting Services, which manages M&S’s IT helpdesk, though neither company has confirmed these details.
The M&S attack is part of a troubling trend affecting British retailers. Competitors Co-op and Harrods have also recently suffered cyber incidents, prompting urgent security reviews across the sector. Government officials have described the surge in attacks as a “wake-up call” for businesses nationwide.
Despite investing heavily in cyber defenses over the past two years—a fact Machin emphasized might have limited the damage—M&S now faces the challenge of rebuilding disrupted systems and restoring customer confidence. The company expects the disruption to persist until at least July, though some recovery measures are already underway.
“It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business,” Machin said. The retailer plans to offset some financial losses through cost management and insurance claims.
The incident highlights the growing vulnerability of retail supply chains to cyber threats. Even companies with substantial security investments remain at risk when third-party vendors create potential entry points for attackers.
As M&S works to return to normal operations, the retail sector is watching closely. The attack serves as a sobering reminder that in today’s interconnected business environment, cybersecurity is only as strong as the weakest link in the supply chain—and sometimes, that weak link is simply human error.
