Disruption from the ‘highly sophisticated and targeted cyber attack’, first reported around Easter weekend, continues.
British retailer Marks & Spencer estimates that a cyberattack that stopped it from processing online orders and left store shelves empty will cost it about 300 million pounds ($403m).
The company said in a business update (PDF) on Wednesday that disruption from the “highly sophisticated and targeted cyber attack,” which was first reported around the Easter weekend, is expected to continue until July.
Online sales of food, home and beauty products have been “heavily impacted” because the company, popularly known as M&S, had to pause online shopping.
The attack on one of the biggest names on the United Kingdom high street forced M&S to resort to pen and paper to move billions of pounds of fresh food, drinks and clothing after it switched off its automated stock systems.
That led to bare food shelves and frustrated customers, denting profits.
A month on, M&S’s large online clothing service remains offline, and the attack has wiped more than a billion pounds off its stock market value.
Chairman Archie Norman said the timing of the attack was unfortunate as M&S, which has been implementing a comprehensive turnaround plan since 2022, had been starting to show its full potential.
“But in business life, just as you think you’re onto a good streak, events have a way of putting you on your backside,” he said.
M&S, which has 65,000 staff and 565 stores, said the hack would cost about 300 million pounds ($403m) in lost operating profit in its year to March 2026, although it hopes to halve that impact through insurance, cost control and other actions.
Chief executive Stuart Machin said the company is focused on recovery and restoring its systems and operations.
“This incident is a bump in the road, and we will come out of this in better shape,” Machin said. He did not provide any details on the attack or who might be behind it.
Earlier this month, the company said customer personal data, which could have included names, emails, addresses and dates of birth, was taken by hackers in the attack.
Two other British retailers, luxury London department store Harrods and supermarket chain Co-op, have also been targeted by cyberattacks at around the same time.