Marks & Spencer boosts cybersecurity spending as CEO Stuart Machin aims to recover from April’s major cyberattack
Marks & Spencer (M&S) expects to move past the worst impact of its April 2025 cyberattack by August, according to CEO Stuart Machin, following a devastating breach that slashed the retailer’s profit by £300 million ($413 million).
The comments were made during M&S’s annual shareholder meeting on Tuesday — the first public opportunity for investors to seek answers about the attack that paralysed operations and disrupted customer service.
M&S Cyberattack Shuts Online Store and Disrupts Supply Chain
The cyberattack in April forced M&S to shut down its online store for nearly seven weeks, leaving customers unable to shop online and causing stock shortages in physical stores throughout May. The company’s automated inventory and logistics systems were temporarily disabled, leading to empty shelves across UK locations. “I’m hoping by August, the majority of this is behind us,” Machin told shareholders.
Shareholders Question M&S Leadership on Cybersecurity Failures
When asked if the cyberattack could have been prevented, Chairman Archie Norman acknowledged that more could always be done and confirmed the company is still investigating the incident. While M&S did not disclose specific technical details of the breach, Norman said the company is taking a hard look at internal systems, vendor security, and IT infrastructure.
M&S Quadruples Cybersecurity Investment Ahead of the Attack
Machin emphasised that M&S had quadrupled its cybersecurity investment and tripled its cybersecurity workforce in the 12 months leading up to the attack.
“I’m glad we invested then. I’m glad we continue to invest,” he said, stressing the importance of ongoing cyber resilience as retail threats grow more sophisticated.
The company did not comment on whether ransomware or data breaches were involved, but the operational disruptions and financial hit have made this one of the most costly cybersecurity incidents in UK retail history.
What’s Next for Marks & Spencer?
As M&S works to restore customer trust and operational stability, its leadership has committed to:
- Ongoing cybersecurity upgrades
- Enhanced incident response protocols
- Transparent communication with shareholders and customers
- A target recovery date by August 2025
Despite the challenges, M&S remains one of the UK’s top retail brands, and analysts expect the company to bounce back in the second half of the year if digital systems are fully restored and consumer confidence is maintained.
