A few weeks after a ransomware attack paralyzed M& S’s digital infrastructure, its online sales remain suspended and supply chain teams are still relying on manual workarounds. The projected £300 million profit hit, combined with rising logistics costs, offline platforms, and regulatory scrutiny, has turned a cybersecurity breach into a full-scale operational crisis. With recovery delayed and third-party risk now squarely in focus, M&S has become a high-profile case study in digital fragility across modern retail supply chains.
Manual Workarounds Strain Logistics
M&S continues to grapple with the aftermath of a ransomware attack that has shut down key digital infrastructure since late April. The retailer’s clothing and home e-commerce platform, responsible for roughly £3.8 million in daily sales, remains offline, and operational teams have been forced to rely on manual processes to maintain basic stock and fulfillment flows.
The disruption has not been confined to online channels. Physical stores have faced intermittent food shortages, suppliers have reverted to pen-and-paper ordering, and distribution schedules have been stretched to maintain availability. Meanwhile, M&S has pulled its job listings offline, paused click-and-collect services, and acknowledged that some customer data, including names, addresses, and order histories, was compromised. The company insists payment and password information was not accessed, but the reputational cost is growing.
The attack has been traced to Scattered Spider, a cybercriminal group that used DragonForce, a ransomware-as-a-service platform. The group also claimed responsibility for attacks on Harrods and the Co-op, underscoring a pattern of targeted infiltration in UK retail.
CEO Stuart Machin said the breach originated through social engineering at a third-party contractor, allowing attackers to gain credentials under the guise of trusted personnel. While M&S has not publicly named the contractor, Tata Consultancy Services—its long-term IT services partner—is conducting an internal investigation into whether its systems were used as an entry point.
Disruption Overshadows Strong Profit Year
The £300 million profit hit projected for the fiscal year ending March 2026 comes on the heels of M&S’s best adjusted pretax profit performance in over 15 years—£876 million, up more than 22% from the previous year. Sales across both food and general merchandise had been trending upward before the incident, and market share gains had begun to validate Machin’s strategic repositioning.
Despite the attack, shares rebounded 2.6% on the day of the earnings release, suggesting investor confidence in M&S’s long-term resilience. Analysts at Deutsche Bank noted that quantifying the loss signals “management is confident a solution is in sight.” The company is seeking to offset some of the financial damage through insurance claims and tighter cost controls.
However, the breach has also triggered a significant non-cash impairment charge of £249 million tied to M&S’s investment in Ocado Retail. Combined with short-term operating disruptions, the twin shocks could complicate forward planning and procurement cycles, particularly in categories reliant on just-in-time inventory and synchronized supplier inputs.
Reframing Cyber Risk as Operational Risk
The M&S breach has revealed the operational fragility that arises when critical functions depend on externally managed digital infrastructure. While the technical entry point was remote, the consequences were physical – missed sales, disrupted inventory flows, and strained supplier coordination.
For supply chain leaders, the incident reinforces the need to treat third-party digital platforms as core operational assets subject to the same scrutiny, resilience planning, and recovery protocols as any strategic supplier.
