M&S just told us exactly what a cyber incident costs. Are you ready for yours?

M&S just told us exactly what a cyber incident cost a UK business. Are you ready for yours?

Yesterday, Marks & Spencer published its full-year results. Profits down 23.8%. Fashion and home revenue down 7.7%. £131 million in direct costs attributed to a single cyber incident. And all of it traceable back to a third-party IT supplier whose credentials were stolen through social engineering.

We now have, in black and white, audited and reported to shareholders, exactly what a serious cyber incident looks like on a balance sheet. Not a hypothetical. Not an industry estimate. Real numbers from a real organisation that most people in this country have walked into this week.

So let’s talk about what those numbers actually mean — and what they mean for every organisation that isn’t M&S.

The numbers behind the headlines

The attack happened over Easter weekend 2025. By the time M&S had contained it, the damage was substantial:

Online sales suspended for approximately seven weeks
Click and collect offline for nearly four weeks
Logistics systems disrupted, leading to empty shelves and manual workarounds
Fashion, home and beauty division operating profit fell from £478m to £213m
£131.3m in direct costs attributed to the incident
Group adjusted profit before tax down from £881m to £671m

The cyber insurance covered around £100m of that, which will be welcome news for M&S shareholders. But here’s what the insurance didn’t cover: the customers who switched to Next and didn’t come back. Next raised its profit guidance four times during that period, explicitly citing ‘competitor disruption’ as a factor. The market share that shifted during those seven weeks of downtime isn’t on any balance sheet — but it’s real, and it compounds.

That’s the part of incident cost that most organisations never model.

It didn’t start with M&S

This is the detail that should keep every risk and resilience professional awake. The attack didn’t originate within M&S systems. It came in through a third-party IT service provider. Someone working for that supplier had their credentials stolen via social engineering — almost certainly a help-desk impersonation or MFA fatigue attack, the kind that the Scattered Spider group has used repeatedly.

From there, the attackers moved laterally through M&S’s systems over a period of weeks before deploying ransomware against its virtualised infrastructure. By the time M&S’s own teams identified what was happening, the attackers had been inside long enough to do serious damage.

This is not a new attack pattern. It is, in fact, one of the most well-documented entry routes in modern cyber incidents. And it’s one that organisations consistently underestimate, because it sits in the gap between what your own security controls cover and what your suppliers’ controls cover.

Bridewell’s CNI research published earlier this year found that 61% of organisations experienced a third-party or supply chain attack in the past 12 months. The same research showed that only a third of organisations are regularly monitoring their suppliers or conducting risk assessments. Those two facts sitting side by side tell you almost everything you need to know about where the next major incident is going to come from.

The gap between plans and practice

I’ve spent the better part of two decades helping organisations build business continuity and crisis management capability. One pattern I see consistently is that organisations invest in planning and then massively underinvest in testing whether the plan actually works.

M&S is a large, well-resourced organisation with professional management and sophisticated systems. And yet when the incident hit, it was reverting to manual pen-and-paper processes to track fresh food and clothing stock. That tells you that either its continuity procedures for a digital outage of that scale weren’t sufficiently developed, or they weren’t sufficiently embedded — or both.

Bridewell’s report put this plainly: incident response in critical sectors is often better defined on paper than proven in practice. The gap between having a plan and being able to execute it under pressure is where organisations lose weeks of recovery time.

Seven weeks offline is not just a cybersecurity failure. It is a resilience failure. And resilience failures are almost always visible in hindsight as a combination of factors: inadequate supplier oversight, untested recovery procedures, and decision-making structures that weren’t ready for the speed and scale of a real incident.

What a cyber incident costs your business – and what ‘ready’ actually looks like

I’m not going to suggest that every organisation needs M&S-scale investment in cyber infrastructure. But I will say that the questions the M&S results raise are questions every board should be asking right now, regardless of sector or size.

Do you know what third parties have access to your systems — and what controls they have in place? Not what they tell you in a questionnaire. What you can actually verify.
Have your cyber incident response procedures been tested against a realistic scenario in the last 12 months? Not a desktop discussion about what you’d do in theory — an actual exercise that puts your decision-makers under pressure and identifies the gaps.
Does your business impact analysis reflect what would actually happen if your digital infrastructure went offline for days or weeks? Not months ago when the world looked different — now, with your current systems and dependencies.
Do you have a clear communications strategy for the first 24 hours of a major incident — one that covers customers, staff, regulators, and the media — that doesn’t depend on the same digital systems that are offline?

These aren’t exotic questions. They’re the fundamentals of operational resilience, and they’re the things that M&S’s experience shows can make the difference between a serious incident and a catastrophic one.

Anyone who’s worked in risk management for any length of time knows that serious incidents rarely stay in their lane. A cyber attack becomes a supply chain failure becomes a reputational crisis becomes a regulatory investigation. That’s exactly what the M&S timeline shows — and the £131m headline figure is just the part that fits neatly on a spreadsheet. The real cost is considerably harder to quantify.

One more number worth sitting with

Here’s a final figure to consider: only six in ten large UK firms carry cyber insurance that covers third-party legal claims. If the source of your incident is a supplier, and customers or regulators come after you, that gap in cover matters considerably.

M&S will recover. It has the scale, the brand equity, and the financial foundations to do so. Stuart Machin said as much yesterday. But not every organisation that faces a comparable incident will be able to say the same. The honest question to sit with this week isn’t whether something like this could happen to you. It almost certainly could. The question is what it would cost, and whether you’d still be standing at the end of it.

If you’d like to talk through how your organisation would hold up — whether that’s a supplier risk review, a cyber incident tabletop exercise, or a hard look at your crisis communications framework — get in touch. That’s exactly what we’re here for.

Share the Post:

Helen Molyneux is the founder and director of Cambridge Risk Solutions. A certified Lead Auditor for ISO 22301 and ISO 27001, she has spent nearly two decades helping organisations across the public and private sectors build genuine resilience — not just documented compliance. She writes from practice, not theory.

Work with us →