M&S says cyberattack will hit profits by £300 million, disruption to last until July

Marks & Spencer (M&S) announced on Wednesday that it expected annual profits to be hit by around £300 million ($402 million) following a cyberattack in April that it expects will continue to cause disruption into July.

The company, a constituent of the FTSE 100 Index, first announced it was managing a cyber incident following the Easter weekend in April. Its app and online shopping are still unavailable, customers have been warned their data may have been compromised, and shelves at stores are sporadically empty due to stocking challenges.

It is reportedly seeking to claim the maximum from its insurance policy, up to £100 million. In its statement filed with the London Stock Exchange on Wednesday, the company said it expected the  £300 million impact on its operating profit “before cost mitigation, insurance and trading actions.”

M&S shares rose 1.9% on Wednesday following the statement, and are up more than 5% since five days ago, although the price remains down 8.8% from its high before the attack was confirmed.

The expected impact on the company’s profits does not include the costs directly relating to the incident. While the company has confirmed customer data may have been compromised — as claimed by ransomware group DragonForce — the criminals have not yet listed this data on their darknet extortion site. M&S has not denied making a ransom payment.

“Since the incident, Food sales have been impacted by reduced availability, although this is already improving. We have also incurred additional waste and logistics costs, due to the need to operate manual processes, impacting profit in the first quarter.

“In Fashion, Home & Beauty, online sales and trading profit have been heavily impacted by the necessary decision to pause online shopping, however stores have remained resilient. We expect online disruption to continue throughout June and into July as we restart, then ramp up operations. This will also mean increased stock management costs in the second quarter,” the statement added.

Investors were informed that the company was “using the disruption to bring forward investment, rephasing the original programme, accelerating plans to upgrade infrastructure and network connectivity, store and colleague technology, and supply chain systems.”

The attack on M&S occurred shortly before similar incidents affecting British retail group the Co-op and the luxury store Harrods in London. There have not yet been any official statements from British officials tackling ransomware to acknowledge whether the attacks are linked, despite the claims of the DragonForce ransomware group.

Read more: UK police looking at 'range' of potential perpetrators behind retail cyberattacks