“Some personal data has been taken”: Marks & spencer confirms cyber attack breach
London, 14 may 2025 — British retail giant Marks & Spencer has confirmed that some personal customer data has been compromised following a severe cyber attack that has left its online operations paralysed for over three weeks. The iconic retailer, which halted online orders on 25 april, has seen its share price tumble by 15% since the disruptions began over the Easter weekend.
Widely believed to be the victim of a ransomware attack, M&S said on tuesday that although customer data had been accessed by cyber criminals, no sensitive payment or password information was taken. The attack, described by the company as “sophisticated,” has thrown a spotlight on the growing threat posed by cybercrime to established businesses.
In a statement, the company said: “Some customer details have regrettably been taken due to the sophisticated nature of this incident. Importantly, the data does not include useable payment or card details, which we do not store on our systems, and it does not include any account passwords. There is currently no evidence to suggest that this data has been shared externally.”
While M&S has yet to confirm the specific nature of the data accessed, it is understood that information such as names, email addresses, and potentially contact numbers may have been compromised. The retailer is preparing to contact affected customers directly to inform them of the breach, although it stressed that no immediate action was required on their part.
Despite the severity of the incident, M&S’s 1,000 physical stores across the United Kingdom remain open and fully operational. However, the impact on its e-commerce business is significant, with the company missing out on crucial sales of its new spring-summer collections as Britain enjoys an unusually warm May.
Cybersecurity experts and law enforcement agencies, including the National Cyber Security Centre (NCSC), are said to be assisting M&S in its response. The company has also engaged independent cybersecurity consultants to support its efforts to restore its online platforms and prevent any further breaches.
M&S did not reveal the financial impact of the ongoing disruption, but analysts have warned that the costs are mounting rapidly. Deutsche Bank analysts earlier this month estimated that the cyber attack could result in at least £30 million in lost profits, with the company potentially losing around £15 million in sales per week.
Although M&S is believed to have cyber insurance in place, experts note that such policies often only provide limited coverage, especially for prolonged periods of operational disruption.
“The financial and reputational damage from a cyber attack of this scale can be enormous, particularly for a legacy brand like Marks & Spencer which is undergoing a delicate digital transformation,” said Clare Watson, a retail analyst at Retail Economics. “While cyber insurance may soften the immediate blow, the longer-term impact on customer trust and online sales growth is harder to quantify.”
More Read
M&S, which has been investing heavily in its digital operations to compete with rivals such as Next and John Lewis, makes approximately one-third of its clothing and home sales online. The current crisis represents a serious setback in its efforts to strengthen its position in the increasingly competitive e-commerce space.
The company has pledged to keep customers updated and to resume online operations “as soon as possible” but has declined to provide a specific timeline. In the meantime, shoppers can continue to make purchases at its brick-and-mortar stores and via the mobile app, which is operating in a limited capacity.
The incident is a stark reminder of the vulnerabilities faced by businesses in an era where cyber attacks are becoming more frequent and more sophisticated. Industry observers expect this breach to prompt other major retailers to reassess their cybersecurity strategies and investments.
