M&S Hit by Sophisticated Cyberattack via Third-Party Supplier, Disrupting Operations and Profits UK retailer Marks & Spencer (M&S) confirmed a cyberattack that exploited social engineering tactics through a compromised third-party supplier, tricking IT staff into altering passwords and authentication processes. The company declined to name the affected supplier. The breach forced M&S to suspend its online clothing business for over three weeks, disrupted food store stocking, and led to the theft of customer data. The attack wiped nearly £750 million off M&S’s market capitalization and is expected to reduce operating profits by £300 million this year. The retailer anticipates ongoing disruptions to online operations until July, with additional waste and logistics costs incurred. M&S CEO Stuart Machin attributed the incident to "human error" rather than IT system vulnerabilities, stating that the company’s cyber defenses were not at fault. He confirmed that no ransom was paid and described the attack as a "highly sophisticated and targeted" event. While the breach overshadowed strong annual results including a 22% rise in pre-tax profit to £875.5 million and a 6.1% increase in sales to nearly £14 billion reported pre-tax profits fell 24% to £511.8 million, partly due to a £248.5 million impairment on its Ocado Retail stake. M&S plans to accelerate its technology overhaul, compressing a two-year modernization timeline into six months. Despite the setback, Machin emphasized that the attack was a "bump in the road" and would not derail the company’s long-term transformation strategy. The retailer expects to offset some financial losses through insurance and cost management.