M&S Food Sales Growth Slows Amidst Cyberattack Disruption

British retailer Marks & Spencer's (M&S) food business experienced a slowdown in sales growth, reaching 9.1% for the 12 weeks leading up to June 14, following a cyberattack in April, according to NielsenIQ. This growth rate represents a decrease from figures reported in prior months. While M&S's market share saw a slight year-on-year increase, it was a decline from the previous month. The cyberattack led to M&S suspending online clothing orders and taking other systems offline, which impacted food availability and increased costs. The retailer estimates a significant hit to its operating profit due to the incident. Online clothing orders have since resumed after a prolonged suspension.

The cyberattacks in April 2025 on M&S and Co-op have been identified as a singular "combined cyber event" by the Cyber Monitoring Centre (CMC). The attacks utilized social engineering, targeting IT help desks, and the cybercrime group Scattered Spider (also known as UNC3944) is believed to be behind the intrusions. The CMC noted that the impact was "narrow and deep," affecting the two companies profoundly and creating ripple effects across their suppliers and partners. Scattered Spider has reportedly expanded its targeting to the insurance sector.

The hacker group DragonForce sent a direct and abusive email to M&S CEO Stuart Machin, demanding payment and claiming to have encrypted servers and stolen customer data. This communication confirmed DragonForce's responsibility for the attack and revealed their awareness of M&S's cyber-insurance policy. While the origin of the email was linked to an employee account of Tata Consultancy Services (TCS), TCS has denied its systems were used. DragonForce also claimed responsibility for the Co-op cyberattack. Despite the confirmation of DragonForce's involvement, the precise identities of the hackers remain unconfirmed, though speculation points to Scattered Spider, a loose collective of young Western hackers. The UK's National Crime Agency is investigating this group.

M&S has gradually brought some online orders back, though a full return to normal operations is anticipated later in the summer. Some customer data, including contact details and order history, was compromised, but payment information was not affected. The ransomware attack, which involved social engineering through a third party, is projected to substantially reduce M&S's current year profits, although some coverage from insurance is expected. The incident has also impacted suppliers and led to disruptions in M&S's in-store food supply and its partnership with Ocado.

The CMC's assessment classified the M&S and Co-op cyberattacks as a "Category 2 cyber event" on its "hurricane scale," with substantial financial repercussions. The CMC stressed the critical need for robust business continuity plans, including testing for ransomware attacks, proper inventory management, and effective crisis communication strategies. They also emphasized the importance of ensuring adequate financial provisions or insurance to cover the significant costs associated with cyberattacks.