Marks & Spencer Cyberattack Causes Major Financial Losses and Operational Disruption
Marks & Spencer suffered a significant cyberattack in April that resulted in extensive operational disruption and a dramatic impact on its financial performance. The retailer reported that the incident led to a 55.4% drop in profits, with first-half earnings plunging to £3.4 million ($4.4 million) from £391.1 million ($510 million) the previous year. The attack forced the company to disconnect its warehouse management and online ordering systems, halting online and international sales for weeks. Home delivery resumed in June, and 'click and collect' services were restored in August, but sales in key departments such as fashion, home, and beauty declined by 16.4% during the reporting period due to the disruption.
The total cost of the cyberattack is estimated at £136 million ($177.2 million), with £83 million ($108.2 million) spent on immediate response and recovery, and the remainder on legal and professional services. Marks & Spencer expects to offset much of these costs with a £100 million ($130.4 million) insurance claim. The incident is believed to be linked to the Scattered Spider hacking collective, with several arrests made in connection to this and other attacks on UK retailers. Despite the setback, M&S reported a 22.1% increase in overall revenues, though the cyberattack's impact on profits and operations was substantial.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
M&S says cyberattack cleanup cost reached about £136 million
Marks & Spencer disclosed that costs from responding to and recovering from a cyberattack had risen to roughly £136 million, significantly affecting its first-half financial results. The company said the incident effectively wiped out profits for the period.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marks & Spencer Hack Exposed Customer Data and Drove Major Retail Disruption
Marks & Spencer said a cyberattack exposed customer personal data and caused prolonged disruption across its retail operations, including suspended online orders, store outages, delivery problems, and empty grocery shelves. The company said stolen information included names, dates of birth, home and email addresses, phone numbers, household details, and online order histories, prompting password resets for online accounts. UK authorities, including the National Cyber Security Centre, worked with affected retailers and law enforcement as the fallout spread beyond M&S. The attack has been linked in reporting to **Scattered Spider** and the **DragonForce** ransomware and extortion operation, with **Co-op** and **Harrods** also reported as targets around the same period. M&S later said the intrusion began through a contractor compromised via sophisticated social engineering rather than exploitation of a flaw in its own systems, and warned the impact would continue for months. The retailer estimated the incident would cut profits by about **£300 million**, with some losses expected to be offset through insurance and other recovery measures.
May 27, 2026
Marks & Spencer Cyberattack and IT Helpdesk Contract Termination
Marks & Spencer suffered a major cyberattack in April 2025, reportedly linked to the Scattered Spider group, which used advanced social engineering tactics to impersonate senior executives and trick IT helpdesk staff into resetting critical login credentials. The attack led to the suspension of the retailer’s online shopping platform, failures in contactless payments, and significant supply chain disruptions, resulting in an estimated £300 million loss in operating profits. The incident drew public and parliamentary scrutiny, particularly regarding the role of Tata Consultancy Services (TCS), whose staff managed key support lines and password resets targeted by the attackers. Four individuals were arrested by the National Crime Agency in connection with the attack on M&S and other British retailers. In the aftermath, Marks & Spencer replaced TCS as its IT service desk provider, a decision both companies stated was the result of a procurement process that began before the cyber incident and not a direct response to the breach. TCS continues to provide other IT services for M&S, including data center management, while cybersecurity services are handled by other vendors. The breach and its fallout have prompted M&S to reassess its digital operations, cybersecurity posture, and vendor management strategies, with full restoration of some services, such as Click & Collect, only achieved months after the attack.
Mar 21, 2026
Jaguar Land Rover Production and Sales Impact from Major Cyberattack
Jaguar Land Rover suffered a significant cyberattack in September that forced the automaker to halt production for several weeks, resulting in a 43% year-on-year decline in wholesale volumes for the third quarter. The disruption affected global supply chains, with manufacturing only returning to normal levels by mid-November, and led to substantial delays in distributing vehicles to dealers worldwide. The attack's impact was felt across all major markets, with North America experiencing a 64% drop in wholesale volumes, Europe 48%, China 46%, and the UK market seeing a smaller decline of 0.9%. The company also faced additional challenges from US tariffs and the planned discontinuation of legacy Jaguar models. Financially, the cyberattack cost Jaguar Land Rover £196 million ($220 million) in the quarter, and the Bank of England cited the incident as a contributing factor to the UK's weaker-than-expected GDP growth. The attack was later claimed by the Scattered Lapsus$ Hunters, a group linked to Lapsus$, Scattered Spider, and ShinyHunters. In addition to production and sales losses, JLR confirmed that data was stolen during the breach, including payroll information. The full financial impact is expected to be detailed in the company's upcoming quarterly results.
Mar 21, 2026