Introduction
Remember when M&S was finally cool again? Well…
The retailer just released the full damage report from April’s cyber attack, and it’s eye-watering: £136m by 2026. That’s after £100m in insurance payouts, meaning the actual hit could’ve topped £236m.
For a company that spent years clawing back from “dowdy” to “darling,” this couldn’t have come at a worse time. Online orders? Suspended for nearly two months. Click and collect? Down for almost four months. And the fashion side of the business — the part that was supposed to prove M&S had finally figured out style — took the biggest beating.
Let’s break down what went wrong, what it cost, and whether M&S can bounce back.
The Damage in Numbers
M&S didn’t hold back in its report. The £136m cyber attack cost breaks down like this:
- £83m on immediate response and recovery (IT teams working round the clock)
- £18.6m on legal and professional support (lawyers and cyber specialists don’t come cheap)
- The rest on operational disruption and lost sales
Profit before tax dropped by £229m — falling from £413.1m to just £184.1m in the 26 weeks ending September 27. That’s more than half their profit, gone.
Fashion, home, and beauty sales? Down 16.4%. International sales slid 11.6%. The only bright spot was food, which climbed 7.8% thanks to improved value perception. Turns out people still trust M&S for their Percy Pigs, even if they’re not clicking “buy now” on that blazer.
Why Fashion Got Hit Hardest
Food sales happen in-store. Fashion? That’s increasingly online.
When M&S pulled the plug on e-commerce for weeks, fashion shoppers didn’t wait around. They went to Zara, ASOS, Next — anywhere that had a working checkout button. And even after the site came back online, customers were slow to return.
M&S admitted as much: “As we have rebuilt online customer traffic in Fashion, Home & Beauty, recovery has been slower.”
Translation: trust is harder to rebuild than a website.
The company’s CEO, Stuart Machin, tried to stay upbeat, calling it an “extraordinary moment in time” and promising M&S would be “recovered and back on track” by spring next year. But analysts aren’t totally convinced. Peel Hunt noted that “uncertainty remains,” and eToro’s Mark Crouch summed it up perfectly: “2025 now looks like a year of what-ifs.”
What This Means for M&S’ Turnaround
Before April, M&S was on fire (in a good way). The brand had finally ditched its frumpy image, revamped its fashion lines, and was winning back younger shoppers. The share price reflected that momentum.
Interestingly, M&S shares barely budged after the announcement — down just 1% in early trading. Why? Because the market had already priced in the bad news. M&S pre-warned investors that the cyber attack could cost up to £300m, so £136m (plus insurance) almost felt like good news by comparison.
Still, this sets the turnaround back. The fashion recovery was supposed to be the proof that M&S had cracked the code. Now? It’s back to square one in some ways, rebuilding customer confidence and online traffic while competitors sprint ahead.
Can M&S Bounce Back?
The good news: M&S expects to match last year’s profit in the next six months, despite the cyber attack hangover. That’s ambitious, but the food business is holding steady, and the operational side is mostly recovered.
The bad news: fashion is still lagging, and consumer trust takes time to rebuild. Cyber attacks leave scars — not just on balance sheets, but on brand perception. If customers feel their data isn’t safe, they’ll shop elsewhere.
M&S needs to lean hard into transparency, security upgrades, and maybe some killer promotions to lure shoppers back online. The infrastructure is fixed, but the psychology? That’s the harder part.
Conclusion
M&S’ cyber attack is a brutal reminder that digital infrastructure isn’t optional, it’s mission-critical. A £136m bill and a halved profit later, the retailer is still standing, but the momentum it worked so hard to build has taken a serious hit.
The comeback isn’t over, but it’s on pause. Spring next year will be the real test. Can M&S regain customer trust and reignite its fashion business, or will this become the hack that stalled Britain’s most unlikely retail revival?
Want to stay updated on M&S and retail sector news? Bookmark this page and check back for the latest insights.
FAQ
Q1: How much did the M&S cyber attack cost?
A: The total cost is £136m by 2026, including £83m for recovery teams and £18.6m for legal support. M&S also received £100m in insurance payouts, meaning the gross impact was closer to £236m.
Q2: When did the M&S cyber attack happen?
A: The attack occurred in April. M&S suspended online orders for nearly two months and click-and-collect services for almost four months.
Q3: How did the cyber attack affect M&S profits?
A: Profit before tax dropped by £229m — falling from £413.1m to £184.1m in the 26 weeks ending September 27. Fashion sales fell 16.4%, while food sales rose 7.8%.
Q4: Why did M&S shares not crash after the announcement?
A: M&S had pre-warned the market that the cyber attack could cost up to £300m, so the actual £136m figure was already priced in. Shares fell just 1% in early trading.
Q5: Will M&S recover from the cyber attack?
A: M&S expects to be “back on track” by spring next year and anticipates matching last year’s profit despite the attack. However, fashion sales recovery has been slower than food, and customer trust remains a challenge.
DISCLAIMER
Effective Date: 15th July 2025
The information provided on this website is for informational and educational purposes only and reflects the personal opinions of the author(s). It is not intended as financial, investment, tax, or legal advice.
We are not certified financial advisers. None of the content on this website constitutes a recommendation to buy, sell, or hold any financial product, asset, or service. You should not rely on any information provided here to make financial decisions.
We strongly recommend that you:
- Conduct your own research and due diligence
- Consult with a qualified financial adviser or professional before making any investment or financial decisions
While we strive to ensure that all information is accurate and up to date, we make no guarantees about the completeness, reliability, or suitability of any content on this site.
By using this website, you acknowledge and agree that we are not responsible for any financial loss, damage, or decisions made based on the content presented.
MORE NEWS
Disclosure & Editorial Standards
MJBurrows is not authorised or regulated by the Financial Conduct Authority (FCA). The content on this website — including articles, calculators, and tools — is for general informational and educational purposes only. It does not constitute personal financial, investment, tax, or legal advice and does not take into account your individual circumstances, financial situation, or objectives.
Nothing on this site is a personal recommendation to buy, sell, hold, or otherwise deal in any financial product, asset, or service. You should always conduct your own research and seek advice from a qualified, FCA-regulated financial adviser before making any financial decisions.
Our calculators produce estimates based on simplified models using HMRC-published rates for the current tax year. They cannot account for every individual circumstance and should not be relied upon as exact figures. Tax rules and rates may change — verify current rates with HMRC or a qualified tax adviser.
Projections are not guarantees. Where our tools show future values (investment growth, pension projections, compound interest), these are hypothetical illustrations based on assumed growth rates. Past performance does not guarantee future results. The value of investments can go down as well as up.
Market data displayed on this site is provided by third-party sources including Twelve Data, Yahoo Finance, and CoinGecko. We do not guarantee the accuracy, completeness, or timeliness of third-party data.
This content is designed for UK residents and reflects UK tax rules, thresholds, and legislation. It may not apply to other jurisdictions.
Using this website does not create a professional-client relationship of any kind. MJBurrows is not responsible for any financial loss, damage, or decision made based on the content presented. By using this site, you accept these terms.
This disclaimer may be updated from time to time without prior notice. Last reviewed: 23 April 2026.
MJBurrows is an independent UK personal finance publication, written and edited by Matthew Burrows. There is no parent company, no investor group, and no advertising sales team — decisions about what to cover and how to frame it are made by Matthew alone. Our full Editorial Policy sets out how the site operates in detail.
Commercial model. As of April 2026, MJBurrows generates no revenue. The site carries no display advertising, no affiliate links, no sponsored content, no paid product placements, and no pay-for-coverage arrangements. If this changes in future, it will be disclosed openly on the Editorial Policy page.
Sources. Articles and tools reference primary sources — HM Revenue & Customs (HMRC), gov.uk, the Bank of England, the Office for National Statistics (ONS), the Financial Conduct Authority (FCA), Companies House, and UK government departmental publications (DWP, Treasury). Calculator data uses HMRC-published rates for the 2026/27 tax year. Market data (tickers, asset prices) is provided by Twelve Data, Yahoo Finance, and CoinGecko.
Verification. Every published article is fact-checked before going live. Numerical claims are traced to their primary source, quotes are checked against the original speaker or document, and calculator outputs are tested against HMRC worked examples. See our verification and accuracy policy for the full process.
Corrections. If you spot an error, please report it via the Corrections page. A three-tier severity system commits to specific response times:
- Tier 1 — Urgent (material reader harm, defamatory statements, regulatory or legal issues): acknowledged within 24 hours, page actioned within 24 hours, correction published within 48 hours of confirmation.
- Tier 2 — High (significant factual errors that misinform readers): acknowledged within 3 working days, correction published within 7 working days of confirmation.
- Tier 3 — Standard (minor factual errors, dated references, missing context): acknowledged within 7 working days, correction published at the next regular content review (within the quarter).
Significant corrections are logged on the public Corrections log.
Updates and review cadence. Calculators are reviewed at least quarterly, plus event-driven updates when HMRC publishes new rates (Budget, Autumn Statement, new tax year). Guides are reviewed at least twice a year, with major rewrites whenever underlying regulation changes. Tax-year-sensitive content is prioritised for review at the April tax-year transition.
Get in touch. For editorial enquiries — corrections, story tips, reader questions — the address is contact@mjburrows.com. The contact page is at mjburrows.com/contact. Every email is read personally by Matthew.
