Marks & Spencer has confirmed that a major cyber attack in April 2025 almost wiped out its half-year profits, cutting statutory profit before tax by 99 per cent, from £391.9 million to just £3.4 million.
The retailer said the incident, linked to the DragonForce ransomware group and the Scattered Spider hacking network, forced it to suspend online orders and click-and-collect services for weeks and caused widespread supply chain disruption.
M&S recorded £102 million in one-off costs and expects to spend another £34 million before year-end. An insurance payout of £100 million offset part of the impact, though overall losses are expected to reach around £300 million.
Chief executive Stuart Machin said the company “responded quickly” to protect customers and suppliers, confirming that customer data such as contact details and order histories were taken, but not payment information.
The case highlights the scale of damage social engineering and ransomware can cause. Businesses can protect themselves by improving staff awareness, enforcing multi-factor authentication, and testing their incident response plans regularly.