What: M&S attributes GBP 300 million profit impact to human error in third-party supplier breach, forcing three-week suspension of online operations and disrupting store supplies.

Why it is important: The incident exposes the growing vulnerability of retail supply chains to cyber threats, demonstrating how human factors in third-party relationships can lead to catastrophic financial and operational consequences.

Marks and Spencer expects a GBP 300 million hit to operating profits following a cyber attack attributed to human error at a third-party supplier. The breach, executed through social engineering tactics, has severely disrupted operations, forcing the retailer to suspend its online clothing business for over three weeks and impacting food store stock levels. While M&S plans to mitigate the profit impact through cost management, insurance, and other trading actions, the attack has already wiped almost GBP 750 million off its market capitalisation. CEO Stuart Machin emphasises that the incident resulted from sophisticated targeting rather than underinvestment in IT systems or cyber defences. The company's response includes accelerating planned technology system upgrades and maintaining transparent communication about the theft of customer data. Despite these challenges, M&S remains committed to its transformation plans, viewing the incident as a "bump in the road" rather than a strategic setback.

IADS Notes: The M&S cyber attack represents a critical escalation in retail cybersecurity challenges, with its GBP 300 million profit impact highlighting unprecedented financial exposure in the sector. This incident follows a concerning pattern, as evidenced by Dior's data breach in May 2025 and Harrods' system compromise, demonstrating the retail industry's growing vulnerability to sophisticated cyber threats. The attack's origin through social engineering of a third-party supplier aligns with industry data showing 41% of breaches now occurring through external providers. The financial implications extend beyond immediate losses, with cyber insurance premiums across the UK retail sector rising by 10%, marking a significant shift from previous declining trends. This series of attacks has transformed the industry's approach to cybersecurity, as shown by April 2025 data revealing ransomware now accounts for 30% of retail security incidents, with average losses reaching GBP 1.4 million per attack.

M&S blames ‘human error’ for cyber attack that will hit profit by GBP 300mn