Marks & Spencer says the disruption related to its ongoing cyberattack is likely to knock around £300 million ($402 million) off its operating profits for the next financial year (2025/26).
The beleaguered high street retailer made the admission in its fiscal 2025 profit and loss accounts for the year ended March 29, published on Wednesday, following reports that it could be gearing up to make a maximum claim on its cyber insurance policy to the tune of £100 million ($134 million).
The £300 million figure will be reduced through cost mitigations, insurance, and trading actions, M&S said, and it’s expected that the total costs related to the attack itself and technical recovery will be communicated at a later date as an adjustment item.
[…]
Various divisions suffered an overall decline in operating profits. M&S said that early on into the attack, which has been ongoing for about a month now, that some franchise stores, such as those inside train stations, were experiencing shortages of certain foods, such as “meal deal” sandwiches.
This reduced availability has affected food sales, and M&S also incurred additional waste and logistics costs owing to the shift toward manual processes.
After briefly managing to keep online and app sales running post-breach, these were eventually taken offline along with other systems, and the company said online sales and trading profit was “heavily impacted” as a result.
Online sales in its fashion, home, and beauty divisions remain unavailable and are not expected to return until July, M&S revealed today.
[…]
After posting its results this morning, M&S’s share price was down 3 percent at the time of writing, and about 12 percent down since the start of the attack, representing a more than £1 billion ($1.3 billion) loss to its market valuation.
However, there are green shoots for the retailer, whose pre-tax and pre-adjusted profits were up 22.2 percent on the previous year at £875.5 million ($1.17 billion), which is the company’s best performance in more than 15 years.
Overall, sales also grew 6.1 percent to £13.9 billion ($18.6 billion), and M&S reaffirmed its commitment to reduce its costs by £500 million ($670 million) in time for the 2027/28 financial year.
[…]
M&S disclosed the attack on April 22, and responsibility was soon ascribed to the English-speaking group known as Scattered Spider, who reportedly used DragonForce ransomware to infect the retailer’s systems.
Nothing is officially confirmed on this front, although DragonForce took credit for the attack when speaking to the BBC.
DragonForce said it was also involved in the attacks on Co-op and Harrods, but none of the companies have yet appeared on its leak site, which is unexpected for intrusions that took place nearly a month ago.
M&S confirmed last week that those responsible stole customer data including names, dates of birth, telephone numbers, home addresses, household information, email addresses, and online order histories.
It told the London Stock Exchange that the data did not include full payment card numbers or account credentials
Source: M&S warns of £300M dent in profits from cyberattack • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft