Just a few months ago, M&S may well have been gearing itself up for a victory lap as it rounded out an exceptionally strong financial year, building momentum on its impressive turnaround plan.

It’s been a year of a number of milestones for the business – from the long-fought for approval to redevelop its Marble Arch flagship, to its convenience store expansion plan and debut of a new fashion-focused store format.

Instead, CEO Stuart Machin candidly spoke of the “most challenging period” of his career as the retailer forecast that the ongoing impact of a cyber attack which began in April would result in a £300m hit to its current full-year profits.

For M&S, this figure has cast a long shadow over what would have otherwise been a celebratory set of full-year results, and one that may be hard to shrug off.

M&S posted an otherwise upbeat set of full-year results, with strong numbers: food sales surged, clothing held up in a tough market, and Machin is adamant that the retailer’s balance sheet is “stronger than ever”.

But despite these positives, the retailer’s post-trading update was dominated by one thing: the aftermath of a major cyber incident.

A strong year overshadowed

On paper, M&S has every reason to be upbeat. For the full 52 weeks up to 30 March, the group reported an adjusted profit before tax of £716.4m, up 58% year on year.

Group sales rose 9.3% to £13bn, bolstered by double-digit growth of 13% to £8.2bn across it food division as core grocery lines resonated with cost-conscious but quality-focused consumers.

Clothing outperformed a sluggish apparel market with a 5.3% rise in sales to £3.7bn and the heritage high street retailer’s repositioning as a more modern, digitally-enable retailer has, until recently, played well with investors and shoppers alike.

Marks and Spencer (M&S) Food has seen success in the past year, with sales up year-on-year

M&S has been steadily winning over middle-class shoppers, with figures long predicting it was due to replace Waitrose as middle-England’s grocer of choice.

In November 2024, M&S held a 4.03% share of the grocery market, up from 3.76% the previous year, while Waitrose’s share slipped to 3.91% from 4.02% . This growth was attributed to M&S’s focus on quality, value, and innovation in its food offerings, including produce, meat, and dairy.

But those strengths risk being eclipsed by the cyber attack that has caused chaos across Marks & Spencer’s operations, and knocked the steam out of its turnaround plans. Trading was disrupted in stores and is still suspended online, supplier payments delayed, and most critically, customers’ personal information stolen.

Big cyber team, but even bigger questions

The timing of the cyber incident, which occurred during the first quarter of its current financial year, has raised questions about both prevention and recovery efforts.

Machin confirms that prior to the attack, M&S had increased cyber security investment by 75% and that its team was now “bigger than ever” and up by “four-fold”.

There is no denying that cyber breaches are becoming more common and sophisticated across retail – indeed, in the time since Marks & Spencer’s cyber breach, subsequent attacks were made on Co-op and Harrods. But questions remain as to why the outage has dragged on for so long, despite the company’s heightened investment and resource in cyber-security.

As one journalist on the retailer’s media call noted: “If the impact is purely internal, why were so many core systems taken offline? And if your cybersecurity capabilities are better than ever, why wasn’t the issue resolved faster?”

This uncertainty has drawn comparisons to grocery rival Co-op, which contained its recent cyber attack within a much shorter timeframe.

Online operations and some supply chain systems were affected, though Machin insists the consumer-facing impact was “minimal”. He adds that “some systems will take longer than others to restore”, with disruptions expected to continue until as late as July, but declines to commit to a clear timeline for the full recovery, stating it could take “a week or 10 weeks”.

Impact on consumer trust

When asked about the impact on consumer sentiment and trust, M&S provided limited detail.

Machin thanks shoppers for some of the praise the retailer received for “transparency” over its frequent updates at the beginning of the cyber incident. The business also has not reported any significant change in customer behaviour and did not indicate any immediate plans to run reassurance campaigns or specific trust-building initiatives.

But the long-term impact on consumer trust in M&S’s brand remains to be seen – particularly in regards to its ecommerce division, which is still offline.

During a post-trading media call, Machin insisted “business is better than ever”

Now, alongside its efforts to move forward, M&S is also facing legal pressure. A class action lawsuit has been launched against the retailer over the recent cyber attack, with legal firm Barings Law confirming it has begun proceedings on behalf of affected customers whose personal information including addresses, dates of birth and online order histories were stolen.

The case argues that M&S failed to properly protect customer data and seeks compensation for the disruption and distress caused. While the company says it is cooperating fully and remains focused on rebuilding trust, the lawsuit adds another challenge at a time when M&S is already under scrutiny for how the breach was handled and how long it has taken to fully restore services.

It seems uncertainty has also hit investors. While shares fell slightly in early trading following the results announcement, they recovered later in the day and are broadly flat year-on-year. Market analysts noted that while the strong operating performance should drive positive sentiment, uncertainty around the cyber incident remains a challenge.

Steamrolling transformation

Looking ahead, M&S says the cyber attack has actually given it a chance to speed up big changes to its tech and systems.

Machin is adamant there would be no redundancies or job losses, either linked to the cyber attack or to shore up costs following the hit to profits. He also emphasises that the balance sheet is “stronger than ever,” and says the business is now aiming to steamroll through two years’ worth of IT transformation in just six months.

This will include modernising its systems, improving online services, and making its operations more secure. M&S is also continuing with its store renewal programme and supply chain improvements, while keeping a close eye on costs.

The message from Machin was clear: this incident has been disruptive, but it’s also been a wake-up call, and the business is “more determined than ever” to come out the other side faster, leaner and better prepared.

Machin said the retailer intended to steamroll two years worth of transformations and modernisations, in six months

So can M&S bounce back – and crucially, can it do so quickly?

The numbers suggest they are in a good position to do so. Food sales are flying, clothing and home is holding its own in a tough market, and the balance sheet is solid. M&S has made it clear the cyber attack won’t slow down its wider transformation plans – in fact its using the incident to speed them up.

But, that does not mean the business is out of the woods just yet. There are still real questions around how long systems will be disrupted, how the retailer plants to restore consumer confidence, and why the issue wasn’t dealt with faster, despite more staff and biggest investment into cyber security.

If M&S delivers on its promises, such as completing two years’ worth of tech work in six months and keeping momentum in food, then yes, it could come out of this stronger. But right now, that remains a big “if”.