M&S warns of £300m profit hit following cyber attack

Marks and Spencer has reported its highest profits in over 15 years, with pre-tax profits up by 22.2% to £875.5m in its full-year results, but has warned it faces a £300m hit to next year’s profits amid ongoing disruption from a major cyber attack.

In the year ended 29 March 2025, which marked a third consecutive year of growth, Food sales rose by 8.7% to £9bn, while Fashion, Home and Beauty sales rose by 3.5% to £4.2bn.

However, following the ongoing effects of the cyber attack last month, the retailer said that it expects a hit of around £300m on 2025/26 operating profit, before cost mitigation, insurance and trading actions.

It added that it expects online disruption to continue throughout June and into July, which will also mean increased stock management costs in the second quarter.

Since the incident, Food sales have been impacted by reduced availability, while the group has also incurred additional waste and logistics costs due to the need to operate manual processes, impacting profit in the first quarter.

In Fashion, Home and Beauty, online sales and trading profit have been “heavily impacted” after the group paused online shopping, however stores have remained “resilient”, the retailer said. 

CEO Stuart Machin said: “We started the new financial year as we finished the last, with sales growth ahead of budget across both businesses. Over the last few weeks, we have been managing a highly sophisticated and targeted cyber-attack, which has led to a limited period of disruption. We have tackled this head on with incredible spirit, teamwork and deep sense of responsibility as we prioritised serving our customers.

“It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business. There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.”

He added: “Over the last 140 years, M&S has overcome many challenges – testament to the longevity of this brand. This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders.”

Earlier this month, Marks and Spencer told customers that some of their personal data has been stolen following a major cyber attack last month. However, it said the data does not include usable payment or card details, which are not held on its systems, and does not include any account passwords. It added there was “no evidence that this data has been shared”.

It added it has “taken steps to protect our systems” and engaged leading cyber security experts over the incident. It also reported the incident to relevant government authorities and law enforcement, who it will “continue to work closely with”.

Last month, Marks and Spencer paused all online orders through both its website and apps following the cyber attack.

In a statement the group said it was “truly sorry for the inconvenience”, and had taken the measure as part of “proactive management”. 

It added that customers could continue to browse products online and shop in stores using cash or card.

The group had previously issued an apology to its customers after its contactless payments and click-and-collect services experienced a widespread outage over the Bank Holiday weekend. 

The major cyber attack has been linked to Scattered Spider, a gang of British and American teenage cyber criminals.