Marks & Spencer warned Wednesday that a recent cyberattack that caused widespread disruption to its operations will slash its annual profits by almost one-third.
The British retailer, best known for its food, clothing, and homeware products, said the cyberattack that hit over the Easter holiday would cost the business approximately £300 million ($403 million) in operating profit for the 2025/26 financial year.
“Our current estimate before mitigation is an impact on Group operating profit of around £300m for 2025/26,” the company said in a statement released alongside its annual results.
The financial blow is expected to wipe out 30.5% of M&S’s £984.5 million annual operating profit before adjusting items, as of March 29, 2025. Despite the setback, operating profits had risen 17% year-on-year before the attack.
The cyberattack left food shelves bare and halted online sales, sending shockwaves through the retail industry and erasing more than £1 billion from the company’s stock market value. Disruptions to its online platform are expected to continue into July.
Describing the incident as a “highly sophisticated and targeted cyber-attack,” M&S said the impact would be partly offset by insurance, cost control, and other trading actions. The company plans to present incident-related costs separately as an adjusting item.
CEO Stuart Machin said the attack, while disruptive, presents an opportunity to fast-track the company’s existing technology overhaul.
“We will use this window of disruption to accelerate our technology transformation plans; the plans we laid out a year ago. In fact, we will condense the two-year plan into just six months,” Machin said during Wednesday’s earnings presentation.
Machin declined to comment on whether a ransom had been paid, according to Reuters, but acknowledged that the incident stemmed from “human error,” without offering further details.
“We will now draw a line under this and move on to business as usual,” he said.
The incident is part of a broader trend of cyber threats plaguing the retail sector. In recent months, companies including the Co-op and Harrods have also been targeted. On Wednesday, JD Sports flagged a “significant cyber-attack” as a “severe but plausible” downside risk to its business outlook.
Lucy Rumbold, equity research analyst at Quilter Cheviot, said the M&S cyberattack had “overshadowed” what were otherwise strong annual results, although much of the financial impact appeared to be priced in.
“This cyber attack highlights just how damaging things like this can be,” Rumbold said via email. “We now have a clearer picture around the profit damage, however uncertainty on the duration of the attack remains, leaving the company vulnerable to further risks in the market.”
Despite the turmoil, shares of M&S were up 0.68% by 10:23 a.m. London time.
