Online shopping at Marks & Spencer is expected to be back to normal within four weeks, the retailer's chief executive has said.
Although M&S restarted internet orders last month, half of its online operations – including click and collect and some product availability – are still down, Stuart Machin told the company's annual general meeting (AGM).
Machin said online shopping should be "fully on" within four weeks as it continues to recover from a cyber attack.
Subscribe to MoneyWeek
Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE
Get 6 issues free
Sign up to Money Morning
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
The hack in April disrupted online shopping and left some shelves bare in stores. It affected sales for about six weeks, while the hackers also stole some customer data.
M&S’ annual results project a £300 million hit to its profits in the 2025/26 financial year as a result of the attack. This will only partly be covered by any insurance payout.
The retailer hopes that by August "we will have the vast majority of this behind us,” Machin said.
Although online orders have restarted in England, Scotland and Wales – mainly focusing on fashion, and some home and beauty products – customers in Ireland and Northern Ireland are still waiting for the service to resume.
M&S had previously said services would continue to be disrupted during June and July.
The retailer sent out e-gift cards last week to customers who had online orders cancelled or delayed.
What happened in the M&S cyber attack?
M&S's problems began over the Easter weekend, with customers unable to use contactless payments, gift cards or scan their M&S Sparks loyalty card. The company confirmed it was dealing with a "cyber incident" and although those services have resumed, on 25 April, it stopped taking online orders.
The high-street giant later revealed that some customer data, including contact details and dates of birth, was also stolen during the hack.
M&S said the personal information taken could include online order histories, but no usable payment or card details, or account passwords, were stolen.
Martyn James, a consumer expert, said the disruption showed “just how dangerous cyberattacks can be,” and that the empty shelves and suspension of online orders would be hugely damaging to M&S’s profits.
Bank of America estimated that M&S was losing £40 million in sales every week since the attack knocked out its online orders.
What customer data has been taken and what should I do?
M&S has written to all customers that it has email addresses for, informing them that some personal data has been taken.
This could include their name, date of birth, telephone number, home address, household information, email address and online order history.
M&S said in an update on 13 May: “Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”
However, it added that for “extra peace of mind”, customers will be prompted to reset their password the next time they visit or log onto their M&S.com account on the website or app.
Jayne Wall, operations director at M&S, said in an email to customers: “You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.
“Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
Should you invest in M&S?
The cyberattack made a big dent in M&S’s share price. Between 23 April and their trough on 13 May, the shares fell 14.9%.
However, they have since staged a steady recovery as the business has responded to the attack’s impacts. The timely resumption of online orders appears to have boosted optimism around M&S still further.
According to Susannah Streeter, head of money and markets at Hargreaves Lansdown, the share price lifted slightly yesterday (1 July), when the M&S boss said it would be “fully online” in four weeks. However, they remain about 13% lower since before the attack.
She says the retailer should “hit August firing on all cylinders once again”, adding: “Management have previously estimated that it could cost as much as £300 million in lost sales and operational disruption, although it’s likely this will be mitigated by insurance claims and cost efficiencies made elsewhere.
“While services have been suspended the company is believed to have used the opportunity to speed up part of its digital transformation plan, as well as ensuring that its IT systems are robust enough to withstand a future attack.”
Streeter says there are “early signs that there is pent-up demand, particularly for M&S’s summer styles, with many of the popular products sold out online” and that “demand for M&S food remains robust, with increased volumes driving growth”.
Richard Hunter, head of markets at Interactive Investor, tells MoneyWeek that “not only will M&S need to reassure investors that corrective actions have been taken, but also that they will have a stronger line of defence to prevent [another cyberattack] happening again”.
Hunter adds that there is plenty to be cheerful about with the retailer: “M&S has come strongly back into fashion with investors and customers alike, and its transformation builds on what was already its jewel in the crown, namely its food business.
"Further tweaks to its store rotation programme, more investment into smaller ranges such as home and beauty, while targeting an improvement to its online offering and a reset of its international business have all been signs of a business which has not been resting on its laurels.”
Who was responsible for the M&S cyberattack?
On 6 June, the BBC reported that M&S CEO Stuart Machin was sent a ransom note directly from the hacker group DragonForce, using an employee email account.
Using graphic and violent language, the note informed Machin that M&S’s servers had been encrypted and invited him to visit the group’s darknet website, saying “the dragon wants to speak to you”.
The attack was a ‘ransomware’ attack, a type of malicious software used to scramble data or files after gaining access to a business's computer systems. Hackers often threaten to leak or sell the data to pressure a company to pay a ransom.
DragonForce has also claimed to be behind an attack on the Co-Op (where it says it stole huge amounts of customer and employee data) and an attempted hack of Harrods.
High earners’ four money pain points – and the one simple way to beat them
Thousands of Brits switch to Nationwide, Monzo and HSBC – which banks are least popular?
