UK retail giant Marks & Spencer (M&S) is grappling with the fallout from a major ransomware attack that has caused widespread disruption across its operations, with estimated losses expected to reach £300 million (approx. $400 million) over the 2025 and 2026 fiscal years.
In a filing with the London Stock Exchange, M&S acknowledged the financial blow to its operating profit but noted that the impact may be partially offset through insurance coverage, cost management efforts, and strategic trading actions.
The cyberattack has crippled key areas of M&S’s business, particularly its food supply chain and online operations. The company, which employs over 60,000 people across 500 stores, is still working to recover and restore systems after being forced into manual operations—a shift that led to food waste, inventory management delays, and delivery issues that hurt first-quarter profits.
Online Shopping Still Frozen
M&S’s e-commerce services have been offline since the incident, and the retailer warns the disruption will continue through June and possibly into July. While its brick-and-mortar stores for fashion, home, and beauty remain open, the loss of online sales is adding further pressure, especially as the company enters a critical trading period. Increased stock handling and logistics costs are expected to weigh on second-quarter performance.
DragonForce Claims Responsibility
A ransomware group known as DragonForce has claimed responsibility for the attack on M&S, as well as other UK retail heavyweights including Co-op and Harrods. Cybersecurity warnings have also emerged from Google, noting the same group has begun targeting retailers in the U.S., escalating concerns about broader supply chain risks in the sector.
M&S confirmed that sensitive customer data was stolen, including names, addresses, emails, phone numbers, dates of birth, household info, partial payment card data, and online order history. The breach occurred after hackers used social engineering tactics to compromise an employee at an unnamed third-party contractor.
While M&S has not officially named the contractor, Reuters sources say Tata Consulting Services (TCS) was involved. Neither M&S nor TCS has confirmed the connection, and no details have been released about any ransom payment or negotiations with the attackers.
This breach has not only impacted operations but also raised significant concerns over data privacy and vendor security practices. The attack highlights the increasing vulnerability of major retailers to ransomware groups exploiting weak links in the supply chain—often through third-party service providers.
As M&S works to recover its systems and reassure customers, the financial and reputational toll of this attack could reverberate well beyond 2026. For now, the focus remains on restoring digital operations and strengthening defenses against a growing wave of cyber threats targeting the retail sector.
