The £300 million expected impact of Marks & Spencer’s cyber-attack on profits shows the severity of the situation. It suggests hackers have caused considerable damage to the company from a financial and reputational perspective.
Marks & Spencer has lost a significant number of sales after temporarily halting online orders. Disruption to supplies meant gaps on the shelves and more lost sales in-store. It has also incurred extra waste and logistics costs, all having a negative impact on profit.
The fact online operations might not be back to full power until later in the summer means the company still cannot achieve full earnings potential for some time to come. Marks & Spencer will be able to lower the total hit to profit once it claims on insurance, among other factors, but the cyber-attack has still knocked the business for six.
There’s still a big unknown regarding any potential fines on Marks & Spencer from the Information Commissioner’s Office (ICO), which enforces data protection regulation.
There are plenty of examples of companies that have been fined by the ICO for not taking appropriate steps to prevent data breaches. The maximum fine by the ICO is £17.5 million or 4% of global annual turnover, whichever is higher. Marks & Spencer has just reported £13.8 billion revenue, so 4% of that figure is £552 million.
That’s in a worst-case scenario, and any fine would account for many different factors. We’re unlikely to find out in the near term if there will be a fine as there will be investigations galore into exactly what’s happened and into the retailer’s overall data protection capabilities.
| Examples of high profile cyber-attacks | |||
|---|---|---|---|
| Company | Year | Impact | Financial impact |
| Marks & Spencer | 2025 | Online orders halted for 3+ weeks | £300m hit to profit |
| WH Smith | 2023 | Hackers accessed staff data | n/a |
| JD Sports | 2018-2020 | 10m customers exposed by cyber-attack | n/a |
| British Airways | 2018 | Hackers diverted traffic to a fake website, accessing personal data | £20m fine |
| Currys (Dixons Carphone) | 2017/2018 | At least 14m customers affected by cyber-attack | £500,000 fine |
| Tesco Bank | 2016 | Hackers stole customer card details | £16.4m fine |
| Source: AJ Bell, company announcements, various news sources | |||
British Airways faced a £183 million fine in 2019 following a data breach but only ended up paying out £20 million after investigators accounted for the airline’s financial stress during the pandemic. Tesco Bank was fined £16.4 million by the FCA for failing to exercise due skill, care and diligence in protecting customers against a cyber-attack in 2016.
What happens next for Marks & Spencer?
Now comes the hard part of trying to win back customers’ trust. That means banging the drum to convince shoppers their personal information is safe if they shop with Marks & Spencer. The retailer must also ensure its physical and online stores operate without disruption and have a wide range of products in stock.
Shoppers may eventually forget about the cyber-attack, but Marks & Spencer can take no chances in the near term. It needs to be on the ball, get customers back on side, and ensure its systems are as secure as Fort Knox.
What else is happening with M&S?
The cyber-attack has prompted Marks & Spencer to bring forward investment into upgrading its infrastructure which implies greater spending near-term. This action has clearly moved up the agenda from ‘nice to have’ to ‘must have’.
Former Boohoo boss John Lyttle has been drafted in to improve the efficiency of Marks & Spencer’s clothing arm. The products are already chiming with the public, so the next task is to make the behind-the-scenes operations run as smoothly as possible. That means more automation, new systems and strengthening the supply base.
It’s notable that Marks & Spencer continues to express disappointment over its joint venture with Ocado. Business has been picking up in terms of active customer growth and sales, but this isn’t translating into the type of profits that Marks & Spencer clearly wants.
Despite a somewhat chaotic backdrop and more demands on cash in the business, the company’s decision to raise dividends by 20% shows it is confident about the outlook. The overall tone of the results is one of a business determined to show the hackers it has the strength and skills to fight back.
Marks & Spencer has been through multiple challenges in its long history, and each time it has overcome them and emerged triumphant. Chief executive Stuart Machin will be hoping that people say the same thing in a year’s time. He just needs to stabilise the ship in the interim and get back on top.
Written by:
Dan Coatsworth
Editor-in-Chief and Investment Analyst
Dan Coatsworth is AJ Bell's Editor in Chief. Dan has been with the company since December 2012 and has more than 18 years' experience in the industry, following the markets and all things investing. He has a degree in Corporate Communications from Southampton Solent University.
Ways to help you invest your money
Put your money to work with our range of investment accounts. Choose from ISAs, pensions, and more.
Let us give you a hand choosing investments. From managed funds to favourite picks, we’re here to help.
Our investment experts share their knowledge on how to keep your money working hard.
Related content
- Wed, 21/05/2025 - 16:51
- Fri, 16/05/2025 - 14:31
- Thu, 15/05/2025 - 17:52
- Wed, 14/05/2025 - 12:53
- Mon, 12/05/2025 - 16:21