How Did M&S’ Cyber Attack Cost £300m and Help Next?

A cyber attack that disrupts operations is costly enough. But in today’s retail environment, where consumer loyalty shifts fast and supply chains extend across multiple partners, the real damage often happens far beyond the firewall.

That’s certainly what the 2025 Marks & Spencer (M&S) cyber attack revealed, not just about cybersecurity, but about how a single breach transforms the competitive playing field.

Next, one of M&S’s main rivals, now expects pre-tax profits to exceed £1.1bn (US$1.4bn). For the fourth time this year, it has upgraded its forecast, stating that part of this success is due to “competitor disruption". 

The phrase is clear shorthand for the April cyber attack that left M&S unable to operate online, freezing click-and-collect services and delaying home deliveries for weeks.

Can a breach become a competitive advantage?

As M&S scrambles to restore its systems and customer confidence, Next is benefiting from a retail environment that moves fast and waits for no one.

From April to June, M&S was unable to fully deliver its fashion range to customers’ homes. The estimated loss stands at £300m (US$394m) in revenue.

In a crowded high street, consumer loyalty is fleeting, as retail analyst Kate Hardcastle told the BBC: “Some of the success this year has certainly come from Marks and Spencer’s very challenged times with its cyber attack.”

She adds that M&S was “on a huge fight back in terms of their apparel department". 

This shows how quickly a cyber incident turns into a business opportunity for others. Disruption to digital or operational infrastructure doesn’t stay internal; it travels through logistics, customer satisfaction, revenue pipelines and brand positioning.

Cybersecurity teams often calculate breach costs based on data loss or regulatory fines, but the M&S case shows that the bigger cost may lie in lost customers, diminished trust and the advantage handed to competitors.

Supply chains: Trusted, but not tested

The M&S breach highlights a broader fragility across supply chains in retail.

Cyber attacks no longer appear as rare or isolated events. Three in five retailers (63%) experience cyber crime, according to insurer NFU Mutual. One in six (16%) are targeted in the past year alone.

“Small businesses are increasingly reliant on digital tools, but often lack the resources to defend against cyber crime,” says James Trevis, Cyber Specialist at NFU Mutual. “This makes them prime targets.”

Despite this, more than one in seven businesses take no steps to address these risks.

The IO ‘State of Information Security Report’ shows that, while 97% of UK and US cyber leaders feel prepared for a breach, 61% experience a third-party or supply chain attack within 12 months. These attacks cause not only “temporary system outage or operational disruption” (33%) but also “customer or partner churn or loss of trust” (36%).

Chris Newton-Smith, CEO at IO, warns that many still underestimate how “complex and interdependent” supply chains have become.

He adds that confidence must translate into practical change “to avoid the domino effect across networks, impacting customer trust, finances and operations". 

The findings from another new study, The State of Supply Chain Security report, underline this confidence gap. Based on responses from 1,010 cybersecurity decision makers across eight global markets, the data reveals that 94% of businesses say they feel confident in their ability to respond to a supply chain attack.

That said, this confidence does not reflect action. While 92% trust their suppliers follow best practices, one third (34%) admit they are not regularly monitoring those suppliers or conducting risk assessments. Although 68% expect threats to become more severe in the next year, 21% of respondents believe that if a key supplier stopped operating for five days, they would not be affected.

Mike Maddison, CEO at NCC Group, adds: “Global supply chains are the engine of modern business, so it is critical that their security is a priority for leaders, especially when global ransomware levels are at a record high this year.

“These attacks have real-world consequences, delaying medical procedures, grounding flights, leaving shelves empty and putting the economy and jobs at risk.

“Time and time again, threat actors are profiteering from this overconfidence, using straightforward techniques to access virtually unguarded supply chain networks.”

UK businesses reflect this picture; while 41% feel confident in their ability to monitor supplier security, the second highest behind the US, 67% still express concern about their level of oversight. Globally, that concern averages 59.5%.

These numbers suggest a mismatch between perception and actual readiness.

Mike concludes: “Organisations are severely overestimating their operational resilience... This report is a clarion call for organisations and governments to wake up to the realities of supply chain vulnerability.”

Cyber risk now means competitive risk

The M&S-Next case shows that cyber risk is a strategic issue. The traditional model of assessing costs in regulatory or technical terms misses the larger picture. Losing customers, handing ground to rivals and falling behind in brand perception all matter more than a spreadsheet tally of affected files.

Next’s earnings upgrades reflect a fast-moving retail sector where one company’s delay becomes another’s opportunity. 

For retailers, that means understanding that trust and visibility matter just as much as firewalls and backup plans. The weakest link in a supply chain can trigger wide-reaching disruption – and the customers who leave during downtime may not return.