M&S Cyberattack: Next’s Profits Expose the Real Breach Cost

The cybersecurity industry is hard-wired to calculate risk in terms of fines, remediation costs, and data loss. The 2025 M&S cyber attack, however, is providing a brutal, real-world lesson in a far more dangerous metric: competitor capitalisation.

Rival retailer Next has raised its full-year profit guidance for the fourth time, now expecting pre-tax profits to top £1.1bn and explicitly acknowledging a boost from “competitor disruption”.

This “disruption” is the boardroom-friendly term for the April 2025 attack that crippled M&S, suspending online orders and halting click-and-collect. It wasn’t until June, more than two months later, that M&S had its fashion products fully available for home delivery again – but not before losing an estimated US$400m in revenue.

In retail, two months is an eternity. Customers do not wait, they migrate. Consumer expert Kate Hardcastle, speaking to the BBC, confirmed this, noting that as M&S struggled, Next “picked up the benefit” of displaced shoppers.

“Some of the success this year has certainly come from Marks and Spencer's very challenged times with its cyber attack,” she told BBC Breakfast. “They were on a huge fight back in terms of their apparel department.”

M&S cyber attack: A systemic vulnerability

The M&S incident is a high-profile example of a systemic vulnerability. New research from commercial insurer NFU Mutual reveals that an alarming three in every five retailers (63%) have been hit by cyber crime. The problem is both widespread and persistent, with 16% of retailers targeted in the last 12 months alone.

Despite the scale of the M&S cyberattack, this isn’t just a “big business” problem. NFU’s data shows one in three small businesses have experienced cyber-crime. Yet, a critical gap exists between awareness and action. Despite 17% of businesses citing cyber attacks as one of their biggest threats, more than one in seven admitted to taking no specific steps to protect themselves.

“Small businesses are increasingly reliant on digital tools, but often lack the resources to defend against cyber crime,” warns James Trevis, Cyber Specialist at NFU Mutual. “This makes them prime targets.”

The latest ‘State of Information Security Report’ from IO, meanwhile, reveals a dangerous “confidence gap” when it comes to cybersecurity. While 97% of UK and US cybersecurity leaders are confident in their breach response, a staggering 61% suffered a third-party or supply chain attack in the past year.

The M&S attack highlights the consequences of this confidence gap, which the IO report found included “temporary system outage or operational disruption” (33%) and “customer or partner churn or loss of trust” (36%).

This is where the true risk lies. “Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” said Chris Newton-Smith, CEO of IO, formerly ISMS.online. This confidence, he adds, “needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances and operations.”

The new cyber risk model

The M&S-Next dynamic must force a re-evaluation of how businesses calculate the cost of a cyber attack. The new calculation must include the permanent transfer of market share to rivals, the cost of re-acquiring customers who have now been institutionalised into a competitor’s ecosystem and the long-term revenue deficit represented by a rival’s windfall.

The lesson from 2025 is that this vulnerability isn’t just an abstract risk but a strategic blind spot. The IO report’s finding that 97% of leaders are “very confident” in their breach response, while 61% were breached by their supply chain, exposes this confidence gap as the single greatest threat. It is this disconnect between perception and reality that creates the opportunity for a competitor to capitalise on a rival’s downtime.

As NFU Mutual’s James Trevis puts it: “Action on cyber risk is not a luxury; it’s essential for protection.”

“To close the confidence gap, leaders must focus on people and process,” concludes IO’s Chris Newton-Smith, “putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links.”