The ongoing cyberattack on Marks & Spencer is costing the retailer £43m a week in lost sales, according to analysis by Bank of America Global Research.
The crippling attack – which was first revealed by M&S chief Stuart Machin just after the Easter weekend – has seen online clothing and home shopping and deliveries suspended, which alone is costing the retailer around £26m a week, the researchers estimate.
The attack initially disrupted contactless payments in stores, which was quickly restored. But stores have also been impacted by ongoing “pockets of limited availability” M&S said. Its Sparks loyalty app – which has more than 18 million members – has been unable to process rewards, while M&S’s scan & shop service has also been suspended, with some stores rendered cash-only.
The Bank of America analysts – assuming a “10% disruption to in-store food sales” – estimate there has been an additional £17m hit on M&S food hall sales every week.
The cyberattack’s impact on sales will cut M&S’s full-year 2026 earnings before interest and taxes by around 7%, the report notes. But that figure will rise “if things are not resolved” by the retailer’s full-year 2025 update next week.
While there is “downside risk to FY26 estimates” and “uncertainty about duration and potential insurance coverage” the researchers remained broadly positive about M&S’s recovery.
“The attack has certainly been a disruption, but we don’t believe it derails the group’s ongoing success in both segments and should not result in too significant an increase in tech spending, given it was already an area of increased focus under the current strategy,” the analysts wrote.
On top of the lost sales, M&S could also face fines and class action compensation claims, after it revealed earlier today that personal customer data had been accessed by hackers.
M&S said despite the hack of the personal data – which includes dates of birth, ‘household information’, telephone numbers and ‘masked’ payment card details – there was to date “no evidence that it has been shared”.
Retail investor platform AJ Bell said in a note today that the “gruelling” cyber incident had “knocked the business for six”. The hack – and admission customer data had been stolen – could turn shoppers away, it added.
“While the retailer says customers’ payment details weren’t taken by the hackers, the fact some personal data has been taken means M&S has a big mountain climb to win back shoppers’ trust,” said AJ Bell investment director Russ Mould.
“M&S is one of the UK’s most loved retailers. Shoppers have faith in the company to provide high-quality products and to deliver service with a smile. Now, shoppers might be questioning if M&S is still such a great place to visit. So many people worry about the safety of their information that they might vote with their feet and go elsewhere if there are lingering concerns about the robustness of M&S’s systems.”
No comments yet