M&S Cyber Attack Cost £131m, but Food Arm Powers Recovery

The £131m price tag: what the cyber attack actually cost

The figures, published in M&S's annual results on 20 May, put a concrete number on a threat that many boards still treat as abstract. The £131m charge relates to the cyber incident that took the retailer's website offline for 12 weeks last year, according to the company's regulatory filing. During that period, online trading in fashion, home and beauty was frozen entirely, and some food shelves were left empty.

M&S described the year as one of "two halves," according to its results statement: the first dominated by recovery from the attack, the second by a push to return to growth. Sales in the fashion, home and beauty segment fell by eight per cent as a direct consequence of the outage, the filing shows.

To put the cost in perspective, M&S's prior-year pre-tax profit stood at roughly £514m. The cyber incident alone therefore wiped out more than a quarter of the group's earnings. For a 141-year-old FTSE 100 retailer with diversified revenue streams, the hit is substantial. For a mid-market operator with narrower margins and fewer channels, a comparable breach could be existential.

Archie Norman, M&S's chairman, told MPs in July that the attack was "traumatic" and felt like hackers were "trying to destroy" the business, as reported by City AM.

Food as the growth engine: M&S's bid for the weekly shop

Even as the cyber attack dragged on headline profit, M&S Food delivered a robust performance. Revenue in the food division grew by seven per cent to £9.7bn in the year to March, according to the company's filing. The segment now represents more than half of group turnover, a milestone that underscores a strategic shift years in the making.

M&S Food's market share has reached four per cent, according to the results. That figure still trails the major grocers significantly, but the trajectory matters. The retailer is investing in price competitiveness through its "dropped and locked" range, which focuses on discounting protein and fresh produce to rival discount brands.

The centrepiece of the expansion plan is a £340m food distribution centre in Northamptonshire, where construction began last week. M&S described the facility as a "major step in transforming into a true destination for the weekly shop," according to the company's announcement.

Food profit did fall by nine per cent in the period, which M&S attributed to higher waste costs in the first half of the year, the filing states. That drag is directly linked to supply-chain disruption caused by the cyber attack, making it another line item in the incident's true cost.

Capital reallocation signals long-term intent

The Northamptonshire distribution centre, combined with planned store openings, signals that M&S is reallocating capital decisively toward food logistics. The retailer is positioning itself to compete more directly with Tesco and Sainsbury's on the weekly grocery shop, rather than relying on its traditional strength in convenience and premium ready meals.

That pivot requires sustained investment. Whether the returns justify the outlay will depend on M&S's ability to hold and grow its four per cent market share against incumbents with far larger store estates and more mature supply networks.

Triple whammy: tax, regulation and conflict-driven costs ahead

Chief executive Stuart Machin used the results to flag a set of headwinds that extend well beyond M&S.

"Retailers face a triple whammy of headwinds with increased taxation, a greater regulatory burden and ongoing global conflict."

The conflict reference is to the Iran war, which is pushing up fuel and freight costs across UK retail, according to the company's statement. Tesco and Sainsbury's have flagged similar pressures in recent trading updates.

For M&S, the combination is particularly acute. The retailer is mid-way through a capital-intensive expansion of its food infrastructure while simultaneously absorbing the tail costs of the cyber incident. Higher employer national insurance contributions, which took effect in April 2025, add further margin pressure.

M&S said it plans to offset these costs by investing more in its supermarket business and through further store openings, according to its results statement. The logic is that scale in food, where footfall is frequent and basket sizes are growing, provides a buffer against margin compression elsewhere.

Lessons for operators: sizing cyber-risk on the balance sheet

The M&S results offer a rare, fully quantified case study in post-breach economics. Several data points are worth isolating for operators assessing their own exposure.

Direct cost: £131m. This covers remediation, lost sales, and associated charges. It does not capture reputational damage or long-term customer attrition, which are harder to measure but likely material.

Recovery timeline: 12 weeks offline, plus a further six months of suppressed performance. M&S described the first half of its financial year as recovery-dominated. For businesses without M&S's brand equity or balance-sheet depth, the recovery period could be longer.

Earnings impact: more than 25 per cent of prior-year profit erased. That ratio is a useful benchmark. A mid-market retailer generating £20m in annual pre-tax profit could, on a proportional basis, face a cyber cost that eliminates an entire year's earnings.

Indirect costs compound. The nine per cent drop in food profit, driven by waste from supply-chain disruption, illustrates how a cyber incident cascades through operations in ways that do not appear on the initial incident-response invoice.

None of this means every business faces the same risk profile. M&S is an omnichannel retailer with complex logistics and high digital dependency. But the principle holds: cyber-resilience investment is not an IT budget line. It is a balance-sheet protection measure, and M&S's results provide the clearest UK benchmark yet for what happens when that protection fails.

The retailer's share price stood at 328p as of the results date, roughly level in the year to date, according to City AM. The stock's path from here will depend on whether the food-led recovery strategy can outrun the headwinds Machin has identified. For now, the numbers speak plainly enough.