The cyber attack that cost M&S £131 million and a quarter of its profits

Marks & Spencer’s April 2025 cyber attack cost the retailer £131.3 million in direct costs and contributed to a 23.8% drop in group profits, the retailer reported on Wednesday (20 May 2026).

Insurance proceeds of £100.0 million offset most of the direct hit, but the wider trading disruption pulled group adjusted profit before tax down to £671.4 million for the year ended 28 March 2026. Statutory profit before tax fell 28.8% to £364.6 million.

Of the £131.3 million in incident costs, £109.3 million covered immediate systems response and recovery, with the remainder going to third-party legal and professional services.

DragonForce ransomware operators carried out the attack, working with hackers from the Scattered Spider collective, M&S Chairman Archie Norman told the House of Commons Business and Trade Committee in July 2025.

Attackers gained access on 17 April 2025 through what Norman described as “sophisticated impersonation” of an M&S employee, tricking a third-party IT service desk into resetting the worker’s password. Reporting by the Financial Times subsequently linked the compromised service desk to Tata Consultancy Services, which provides help desk support under a longstanding technology contract with M&S.

Once inside the network, the attackers exfiltrated the Active Directory database, cracked employee password hashes offline, and on 24 April 2025 deployed the DragonForce encryptor against M&S’s VMware ESXi hosts, locking the virtual machines that ran e-commerce, payment processing and logistics applications.

The retailer suspended online clothing and home orders on 25 April 2025 and did not resume them for 46 days. Contactless payments, click-and-collect and gift card services went down across stores, with staff in some locations reverting to paper-based stock tracking.

M&S confirmed in May 2025 that attackers had exfiltrated customer data including names, addresses, phone numbers, dates of birth, household information and order histories, though it said payment details and account passwords were not compromised.

The National Crime Agency arrested four individuals aged between 17 and 20 in July 2025 in connection with the attacks on M&S, Co-op and Harrods.

Fashion, home and beauty took the heaviest trading blow. Adjusted operating profit in the division fell 55.4% to £213.4 million as online sales dropped 18.4% over the full year, reflecting the order pause and the clearance of excess seasonal stock that followed.

Operating margin in the division more than halved to 5.5%, down from 11.3% the previous year. Online sales returned to growth in the second half, rising 6.1% in the fourth quarter.

Food proved more resilient, with sales up 7% to £9.72 billion and UK volume growth of 3.3% in a broadly flat market.

Adjusted food operating profit slipped 9.6% to £444.5 million on first-half markdown and waste before recovering through the second half. International sales fell 7.2% to £543.3 million, though adjusted operating profit in the division rose 8.9% to £39.1 million on cost management and franchise reset work.

Group second-half profit overall was 4.1% ahead of the prior year. The Board declared a final dividend of 3.0p per share, bringing the full-year payout to 4.2p, a 16.7% increase on last year.

Net funds excluding lease liabilities stood at £338.2 million at year end, supporting continued investment through the disruption.

M&S said it continues to cooperate with investigations by the Information Commissioner’s Office and other regulators into the incident.

“A resilient balance sheet supported by the hard work done on our cash position in recent years allowed us to absorb the cost of disruption without compromising our financial health,” said Stuart Machin, Chief Executive at Marks & Spencer.

Now read: £1 billion laundered through barber shops and vape stores on UK high streets