UK retailer Marks & Spencer (MKS.L) has shared another update on the impact of the recent cyberattack, and the company estimates that the incident will cost it £300 million (roughly $400 million).
However, M&S pointed out in a filing with the London Stock Exchange that this is expected to be the financial impact on 2025 and 2026 operating profit, but the amount should be “reduced through management of costs, insurance and other trading actions”.
The cyberattack has caused significant disruptions for the company. The retailer, which has more than 60,000 employees and 500 stores, is now in the process of recovering and restoring its systems.
The incident has resulted in food sales losses due to reduced availability, as well as additional waste and logistics expenses due to the need to manually operate processes, which has hit first quarter profits.
While fashion, home and beauty physical stores have remained operational, online shopping has been temporarily halted.
“We expect online disruption to continue throughout June and into July as we restart, then ramp up operations,” the company said. “This will also mean increased stock management costs in the second quarter.”
M&S was one of the several major UK retailers targeted by cybercrimnals. A ransomware group calling itself DragonForce has taken credit for the attack on M&S, as well as on Co-op and Harrods. Google warned last week that the same group has also started targeting US retailers.
M&S has confirmed that the attackers have stolen customer information, including names, addresses, email addresses, phone numbers, dates of birth, online order history, household information, and partial payment card data.
The retailer revealed this week that its systems were breached after the hackers used social engineering against employees at an unnamed third-party contractor. Reuters learned from sources that the contractor in question is Tata Consulting Services. Neither Tata Consulting Services nor M&S provided confirmation.
M&S has not shared any details on the ransom demand and it’s unclear if the company paid anything to the cybercriminals.
Related: Ransomware Attack Cost Keytronic Over $17 Million
Related: Cyberattack Cost Oil Giant Halliburton $35 Million
Related: Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
