M&S breach fallout to last into July, £300m profit hit projected

British retailer Marks & Spencer has revealed that the recent breach, traced to hacking collective Scattered Spider, will disrupt its operations into July and cost the company an estimated £300 million in lost profits.

The breach, which was first detected over the Easter weekend, exploited the systems of one of M&S’s IT contractors, reportedly Tata Consultancy Services, using sophisticated social engineering techniques. Attackers gained access via compromised employee credentials, bypassing M&S’s internal systems.

“This wasn’t a failure of our own infrastructure,” said CEO Stuart Machin. “The attackers used heavily sophisticated techniques through a third-party contractor. Thankfully, we had rehearsed this exact scenario last year and were ready to respond.”

While M&S acted quickly to contain the breach, the attack forced the retailer to shut down its website and online distribution centre, halting orders across its non-food categories and disrupting some supply chains, including deliveries to online grocery partner Ocado.

Massive business disruption, but no strategic retreat

M&S estimates two-thirds of the £300 million impact comes from lost clothing and homeware sales. Still, the company hopes to halve the final cost through insurance claims, cost reductions, and operational efficiencies. Despite the disruption, M&S has ruled out job cuts or scaling back store investments.

In fact, the crisis is accelerating change. “We’re compressing two years of IT upgrades into six months,” Machin said. “If anything, the incident allows us to move faster and more decisively.”

The company expects its website to resume full operations across all categories before July. Personal data, including names, addresses, dates of birth, and order histories for thousands of customers, was compromised, though there’s no indication of payment data exposure. M&S has committed to transparency and swift communication with customers.

Just a small setback amid strong financial performance

Ironically, the attack struck just as M&S was enjoying a financial upswing. Underlying profits for the year to March 30 rose 22% to £876 million, beating expectations, on £13.9 billion in sales. Food led the way, up nearly 9% to £9 billion, while clothing and homeware grew by 3.5%.

Pre-tax profits fell 24% to £511.8 million after one-off costs, including a £248.5 million write-down on its Ocado joint venture and £84 million in store overhaul expenses.

Still, the business began the new financial year with sales ahead of budget in both food and clothing divisions, suggesting consumer confidence has not been significantly shaken.

“This is a one-off event,” Machin emphasized. “We’re financially strong, customer-focused, and determined to come out of this even stronger.”

The incident also coincides with similar cyberattacks on UK retailers Harrods and the Co-op, adding urgency to growing concerns around supply chain cybersecurity and third-party IT risk across the retail sector.