M&S cyberattack to wipe out nearly one-third of annual profits

British retailer Marks & Spencer said Wednesday that a recent cyberattack, which left food shelves bare and brought online sales to a standstill, will wipe out almost one-third in its annual profits.

The company, known for its clothing, homeware and food products, said last month’s cyber attack would cost the business £300 million ($403 million) in operating profit this year.

“Our current estimate before mitigation is an impact on Group operating profit of around £300m for 2025/26,” the company said in a statement alongside its annual results.

It added that the financial impact would be reduced through management of costs, insurance and other trading actions, with costs related to the incident to be presented separately as an adjusting item.

The forecasted impact equates to 30.5% of the company’s £984.5 million annual operating profit before adjusting items as of March 29. 2025, which otherwise picked up by 17% year-on-year.

The cyberattack, which occurred over the Easter holiday, has wiped over £1 billion from M&S’ stock market value and continues to cause disruptions to online retail, which the company said could be expected to continue into July.

The high street giant said the “highly sophisticated and targeted cyber-attack” had led to a “limited period of disruption,” but that the incident had also marked an opportunity to accelerate its technology transformation program announced last year.

“We will use this window of disruption to accelerate our technology transformation plans; the plans we laid out a year ago. In fact, we will condense the two-year plan into just six months,” CEO Stuart Machin said during an earnings presentation on Wednesday.

The incident sent shock waves across the industry, with retailers such as the Co-op and Harrods also facing recent attacks.

Machin said that he would not comment on whether the retailer had paid a ransom in a cyber attack, according to Reuters. He also noted that the incident was the result of “human error,” without providing further details.

“We will now draw a line under this and move on to business as usual,” he said.

Lucy Rumbold, equity research analyst at Quilter Cheviot, said the cyber attack had “overshadowed” otherwise solid annual results for the retailer, but added that much of the impact had already been priced in.

Shares of M&S were up 0.68% by 10:23 a.m. London time.

“This cyber attack highlights just how damaging things like this can be,” Rumbold said over email. “We now have a clearer picture around the profit damage, however uncertainty on the duration of the attack remains, leaving the company vulnerable to further risks in the market.”

Businesses have been increasingly flagging cyber threats as a key risk to their operations. JD Sports on Wednesday cited “a significant cyber-attack” that stalls store sales as a “severe but plausible” downside scenario going forward.