Marks & Spencer (M&S) is still grappling with the fallout from a devastating cyber attack that forced the retail giant to halt online orders and left shelves empty in stores across the UK. Speaking before MPs on July 8, 2025, M&S chairman Archie Norman described the incident as "traumatic" and akin to an "out of body experience," revealing that the company remains in "rebuild mode" and will be for "some time to come." The attack, which began on April 17, 2025, involved a "sophisticated impersonation" tactic and was linked to the hacking collective known as Scattered Spider, with ransomware specialists DragonForce also implicated.
The initial breach occurred through a third-party contractor, and M&S only became aware of the intrusion two days later, on Easter Saturday, April 19. The company convened an emergency meeting that evening at 10 pm and promptly notified all relevant authorities the following day, including the National Crime Agency (NCA), the National Cyber Security Centre (NCSC), and the FBI. Customers were informed about the attack on April 22. Despite the severity of the breach, M&S chose not to engage directly with the threat actors, a decision Norman emphasized was crucial in managing the incident.
Norman declined to disclose whether M&S paid a ransom, citing it as a "business decision" and a matter of law enforcement. "We don't think it's in the public interest to go into that subject," he told MPs, adding that any interaction with the threat actor had been fully shared with the National Crime Agency. The chairman also highlighted the complexity of ransom negotiations, noting that companies must consider what they actually receive in return, especially when systems are already compromised and rebuilding is inevitable.
The cyber attack's impact was severe, costing M&S an estimated £300 million in gross profits. The retailer's ecommerce website and app were offline for six weeks, with an estimated loss of £10 million in profit each week during that period. Even now, some customer-facing services, like the Click & Collect, remain offline, and the clothing and homewares logistics center in Castle Donington, Leicestershire, is only "back online imminently." CEO Stuart Machin has projected that the full range of online services will be reinstated by early August at the latest.
Norman detailed the ongoing recovery efforts, explaining that the company is heavily investing in cybersecurity improvements, having trebled its cybersecurity workforce to 80 and doubled expenditure in this area. The annual technology investment now stands at around £250 million, with approximately £150 million dedicated to upgrading legacy data systems. These upgrades, Norman stressed, have "nil" return on investment but are essential to prevent future breaches.
Despite these efforts, Norman acknowledged that no system is entirely impervious to attack. "Ultimately, can the attacker get in? They probably can if they try hard enough," he said, dismissing media reports that M&S had left "back doors" open as "all Horlicks." He emphasized that the attackers only need to be lucky once, making cyber resilience a constant battle.
Norman also criticized the current reporting landscape for cyber attacks, calling for mandatory disclosure of "material" incidents to the NCSC for companies above a certain size. He revealed that M&S is aware of two other major cyber attacks on large British companies in the past four months that went unreported. "I don’t think it would be regulatory overkill for companies of a certain size to be required within a time limit to report those to the NCSC," he said. Such a move, he argued, would enhance central intelligence and improve the UK's overall cyber resilience.
The chairman's call for transparency came amid growing concerns about cyber security in the UK, with other major firms like the Co-op and Harrods also suffering attacks linked to Scattered Spider. The Co-op, which experienced a cyber breach days after M&S, confirmed it did not pay a ransom and has instead invested in segregated alternative systems designed to keep critical operations running digitally during attacks. Its chief digital information officer, Rob Elsey, described relying on "pen and paper" as "unsustainable" in today's digital age, contrasting with M&S general counsel Nick Folland's advice that businesses should prepare to operate manually if necessary.
Insurance has played a key role in M&S's financial response to the breach. The company doubled its cyber insurance coverage in 2024 and expects to make a "significant claim" that will offset a substantial portion of the £300 million lost profits. However, Norman cautioned that the claims process could take up to 18 months. He also noted that British cyber security authorities are "limited in their resources," underscoring the importance of collaboration with agencies like the FBI, which M&S found "very supportive."
Reflecting on lessons learned, Norman admitted that M&S's legacy IT systems, a byproduct of its long history, were a vulnerability. "We probably wish we didn't have legacy systems," he said, adding that with hindsight, the company would have accelerated planned technology investments. Still, he asserted that the firm handled the attack far better than it would have in 2017 when he first joined, a time when the business was "broken" and struggling with debt. "If this had happened then, I think we would have been kippered," he remarked.
Norman also advised other businesses to create detailed maps of their internal systems to prevent cyber criminals from taking over entire networks once they gain entry through a single point. "Mapping your systems seems basic and elementary but it is not – and I would advise everyone to do so," he said.
In the meantime, M&S continues to rebuild, with some background systems expected to be operational only by October or November. Norman warned that "once you fall victim to one cyber attack, you are likely to attract another," making resilience and security upgrades a top priority going forward.
As the retail giant moves cautiously toward full recovery, the wider business community watches closely. The M&S cyber attack stands as a stark reminder of the growing threat posed by sophisticated cyber criminals and the urgent need for robust defenses, transparent reporting, and coordinated responses across the UK economy.
