M&S Chairman Details £300m April Cyberattack, Calls for Mandatory Reporting

Marks & Spencer suffered a major cyber attack in April linked to the hacking group Scattered Spider, which involved a sophisticated impersonation of a third-party user and forced the retailer to halt online orders and face empty shelves. Chairman Archie Norman described the event as traumatic, with the cyber team working under intense pressure, and estimated the attack will cost the company around £300 million in gross profits, though some losses may be recovered through insurance. The motives behind the attack appear to include ransom or extortion, but also seemed aimed at disrupting the business itself. Norman criticized other large companies for not reporting cyber attacks to the National Cyber Security Centre (NCSC), advocating for mandatory reporting to improve collective intelligence and response. M&S executives emphasized the need for businesses to be prepared to operate without IT systems during cyber incidents, recommending fallback procedures such as running operations on pen and paper. The attack is still affecting certain background systems, with recovery efforts expected to continue into late 2025, highlighting the long-term impact of such cyber threats on major retailers.