17 April 2025 is a date that M&S will remember forever, as it is the date it publicly reported that it was the victim of a sophisticated ransomware attack. This resulted in the serious compromise of customer data, including names, dates of birth, addresses, phone numbers, and purchase histories.
As of the middle of July 2025, the company has yet to fully recover from the cyberattack, as all aspects of its online business must be checked, verified, and rebuilt; what’ s more, the company’s reputation and financial performance have taken a significant hit, and customer trust has been eroded.
Amid this backdrop of recovery, M&S chairman Archie Norman has called for a change to the law, which would require UK businesses to report major cyberattacks.
What has been the impact of the M&S ransomware attack?
It is anticipated that the attack has cost the company around £300m in profits. Worse than this, it has eroded public trust, which could affect its financial performance in the near future as it continues to rebuild and restore operations.
A class action lawsuit has been launched by a Scottish law firm seeking collective compensation for affected individuals. It is possible that a similar action from a London law firm, such as https://www.forsters.co.uk/, will follow, and it is interesting to note that an increased incidence of class action lawsuits in the UK was predicted last year.
Why M&S is calling for a change in the law
The M&S cyberattack was unexpected and the impact extraordinary; however, it is possible that had other businesses reported attempted or successful cyberattacks in the preceding weeks or months, it may have been averted, as lessons would have been learned, security protocols tightened, and changes implemented.
In an increasingly digitised world, cyberthreats will continue to evolve and become ever more sophisticated; therefore, it is everyone’s responsibility to understand the threat, adapt to it, and overcome it. Sharing information and rehearsing solutions is an effective strategy for mitigating the chances of such a significant event occurring again.
