M&S profits plunge after costly cyber attack

Marks and Spencer has reported a sharp plunge in its profits following a significant cyber attack earlier this year. The company’s underlying pre-tax profits dropped by 55.4% to £184.1 million in the six months leading up to September 27. When looking at the figures on a reported basis, profits were nearly wiped out, falling drastically from £391.9 million the year before to just £3.4 million. The cyber attack forced M&S to halt online orders, causing home and fashion sales on its website to fall by more than 40%. The retailer also faced disruption to its logistics systems, resulting in empty shelves and further operational challenges. The overall cost of the attack is expected to be around £136 million, although this is lower than the initial £300 million estimate M&S gave back in May. Insurance has helped offset some of the damage, with the company recovering £100 million through a payout in the first half of the year. Despite the setbacks, M&S says it’s now on the path to recovery. Stuart Machin, the company’s CEO, acknowledged the extraordinary nature of the first half but emphasized the business's resilient financial foundations, which helped it weather the storm. Sales in M&S’s fashion segment took a hit, dropping 16.4%, with online sales suffering a steep 42.9% drop. Store sales also declined slightly by 3.4%. The cyber attack, which happened around Easter, caused the retailer to suspend all online sales for about six weeks. The breach also compromised customer personal data, potentially including names, email addresses, postal addresses, and dates of birth. Machin described the attack as a result of "human error" and noted the company also had to cope with cost increases exceeding £50 million due to a national insurance hike. Despite these challenges, Machin remains cautiously optimistic. He expects profits in the second half of the financial year to be at least on par with the previous year, supported by an accelerated cost-cutting program targeting £600 million in savings. The retail sector is currently facing significant challenges, but M&S is focusing on factors it can control, like cost efficiency, to mitigate financial pressures. After resuming online sales for clothing, home, and beauty products, M&S saw an increase in activity, though some competitors like Next gained market share during the disruption period, suggesting some customers switched to other retailers. Home delivery services restarted in June, but the click and collect option wasn’t reinstated until August. While the recovery in fashion, home, and beauty sales has been slower compared to food, M&S reports daily progress. Food sales rose by 7.8% in the first half, with volumes up 2.8% once price increases were removed from the equation. Looking ahead, M&S expects to have fully recovered its overall trading by the end of the financial year. The company remains focused on navigating the current headwinds in retail while accelerating its cost reduction efforts to improve its financial health and regain lost market ground. The core facts reveal that Marks and Spencer experienced a severe cyber attack in early 2023, leading to a major profit drop and disruptions to online sales, especially in its fashion and home segments across the UK. Stakeholders directly involved include M&S’s management, customers affected by data theft, and employees handling logistics, while indirectly, competitors and suppliers faced ripple effects due to shifts in market share and supply chain interruptions. Immediate impacts included a halt to online orders, logistic disruptions, and a sharp decline in sales with an estimated financial damage of £136 million, cushioned partially by insurance. Historically, this event is akin to the 2017 WannaCry attack which similarly disrupted UK businesses, though M&S’s human error attribution and cost recovery through insurance highlight both the vulnerability and resilience mechanisms. Looking forward, the firm could leverage enhanced cybersecurity innovations to prevent recurrence, while risks remain around evolving cyber threats and customer trust erosion. From a regulatory standpoint, priority recommendations include mandating stricter cybersecurity protocols across retailers, establishing rapid-response frameworks for cyber incidents, and incentivizing investment in advanced threat detection—each prioritized for balanced feasibility and impact. This multi-faceted analysis underscores verified financial setbacks and operational disruptions while speculatively projecting recovery trajectories dependent on strategic cost management and security enhancements.