Scattered Spider ransomware attack on M&S systems could inflict £300m profit damage

British retailer Marks & Spencer has revealed that a “highly sophisticated and targeted cyberattack” will cost it around £300 million in operating profits, with disruption expected to continue into July.

The attack, which first emerged on 22 April, forced the company to suspend its online clothing operations and caused some food shelves to be left bare. It has already wiped more than £1 billion from the company’s stock market value, with shares down 3.4 per cent in early trading on Wednesday, extending losses since the attack to 13 per cent.

M&S said online disruption in its fashion, home and beauty division would continue “throughout June and into July as we restart, then ramp up operations”. Online sales and trading profit in that division had been “heavily impacted” by the suspension of online shopping, though store sales had “remained resilient”.

In the food business, the retailer reported reduced availability and higher waste and logistics costs after being forced to return to pen and paper systems, though food sales have since improved.

Chief executive Stuart Machin remained optimistic despite the setback: “This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders.”

The company hopes to halve the expected profit hit for its 2025/26 year through “management of costs, insurance and other trading actions”.

The cyberattack has overshadowed the significant progress M&S had made with its turnaround plan. The retailer reported a 22.2 per cent rise in adjusted pretax profit to £875.5 million for the year to 29 March, the highest in over 15 years and ahead of analysts’ average forecast of £840 million.

Sales increased 6.1 per cent to £13.9 billion, with food sales up 8.7 per cent and clothing, home and beauty sales up 3.5 per cent, with the group winning market share in both divisions.

M&S said it would use the crisis to “accelerate the pace of improvement of our technology transformation” and had found new and innovative ways of working.

“We are focused on recovery, restoring our systems, operations and customer proposition over the rest of the first half, with the aim of exiting this period a much stronger business,” the company stated.

British companies and institutions have faced increasingly aggressive and regular cyber and ransomware attacks in recent years, with the British Library, a blood testing service and the London Underground all suffering months of disruption. M&S confirmed last week that some personal customer information had been stolen in the hack.

The National Crime Agency (NCA) has revealed that a notorious hacking group known as “Scattered Spider” is a key focus of their investigation into the M&S attack, as well as similar incidents affecting Co-op and Harrods. The group is believed to consist of young English-speakers, some reportedly teenagers, based primarily in the UK and US.

“We are looking at the group that is publicly known as Scattered Spider, but we’ve got a range of different hypotheses and we’ll follow the evidence to get to the offenders,” Paul Foster, head of the NCA’s national cyber crime unit, told the BBC. “In light of all the damage that we’re seeing, catching whoever is behind these attacks is our top priority.”

The wave of retail cyber attacks began around Easter and has resulted in empty shelves, suspended online services, and the theft of millions of people’s private data. The hackers have reportedly used a platform called DragonForce to carry out ransomware attacks.

Cyber security experts note that Scattered Spider, also known by other names including Octo Tempest and Muddled Libra, has been linked to previous high-profile attacks on US casinos in 2023 and Transport for London. The group is known to target organisations through social engineering techniques, often by manipulating IT help desk staff.

In November last year, the US charged five British and American men and boys, some in their teens and twenties, for alleged Scattered Spider activity.