Marks & Spencer Says Cyberattack to Cost £300 Million

Marks & Spencer Says Cyberattack to Cost £300 Million

British retailer Marks & Spencer Group Plc is facing a significant blow to its operating profit this fiscal year due to a cyberattack that occurred last month. The company has estimated the attack will cost around £300 million ($403 million), with the disruption to sales and operations expected to continue into July.

The cyberattack, which was blamed on human error, forced M&S to halt contactless payments and created gaps on shelves as it took some IT systems offline. The company has confirmed that hackers entered its systems via a third-party business partner, but declined to reveal the identity of the partner.

"We have to be vigilant and lucky every day — threat actors only have to be lucky once," said M&S CEO Stuart Machin on a call with reporters. "We didn’t leave the door open, this wasn’t anything to do with under-investment." The company is taking steps to mitigate the impact of the attack, including cost savings and insurance payouts.

Online clothing and home orders, which account for over £3 million of sales per day, will resume "in a matter of weeks," M&S said. Despite the disruption, the company reported its highest pretax profit in 15 years for the year that ended before the cyberattack, driven by increased sales of groceries and improved brand reputation.

M&S's shares rose 2.6% in London, reversing an earlier decline and paring a 10% drop since the attack was announced on April 22. Analysts at Deutsche Bank noted that quantifying the cost suggests "management is confident a solution is in sight." However, the hit to operating profit is worse than analysts expected.

Cybercrime is an increasingly prevalent problem in the UK and worldwide. The Home Office estimates cybercrime costs the UK economy billions of pounds in losses annually. Last year, a cohort of Russian-speaking hackers demanded a $50 million ransom from a UK lab-services provider to end a ransomware attack that paralyzed London hospitals for weeks.

The attack on Marks & Spencer caused significant disruption to its operations, including reduced food sales and additional waste and logistics costs due to the switch to manual processes. However, the company remains confident in its prospects for medium-term growth and is increasing its dividend by 20%.

Key Figures:

  • £300 million: Estimated cost of the cyberattack on M&S's operating profit
  • $403 million: Estimated cost of the cyberattack in US dollars
  • 24%: Percentage decrease in statutory profit before tax due to impairment charge and cyberattack
  • 20%: Increase in dividend announced by M&S

Read more: M&S' Slow Recovery From Cyberattack Puts it at Risk of Lasting Damage