What: M&S suffered a £136mn profit hit after a cyber attack forced a seven-week suspension of online sales and disrupted its digital operations.

Why it is important: This incident demonstrates how cyber attacks can cause severe financial and reputational damage, echoing recent patterns of escalating risk and operational disruption in retail.

Marks & Spencer’s recent cyber attack has exposed the acute vulnerabilities and far-reaching consequences of digital threats in the retail sector. The breach, which forced the suspension of online sales for seven weeks, resulted in a £136mn profit hit and nearly £700mn wiped from the retailer’s market value. The disruption to daily digital sales and click-and-collect services not only impacted revenue but also led to a 7% drop in share price and a marked decline in customer recommendation rates, falling from 87% to 73%. The incident, traced to human error at a third-party supplier, highlights the risks associated with complex supply chains and the increasing frequency of breaches originating from external partners. M&S’s phased recovery, including the restoration of third-party brands to its website, reflects the broader sector’s shift toward accelerated technological transformation and resilience. With average losses from cyber attacks now reaching £1.4mn per incident and 41% of breaches linked to third-party providers, the retail industry faces mounting pressure to invest in robust cybersecurity and rapid response strategies to safeguard operations, reputation, and customer trust.

IADS Notes: In April 2025, M&S’s cyber crisis resulted in a suspension of online operations, a £700mn market value loss, and a 7% share price drop (Financial Times). By May 2025, customer recommendation rates had fallen sharply, highlighting reputational risks (Retail Week). The profit impact, attributed to a third-party supplier breach, reached £300mn (Financial Times, May 2025). Recovery efforts in June 2025 included restoring third-party brands, underscoring the need for technological transformation (Retail Week). By August 2025, the sector’s vulnerability to cybercrime was further emphasized, with 41% of breaches linked to third-party providers and average losses of £1.4mn per attack (Retail Week).

M&S takes £136mn profit hit from cyber attack