The Point: Ransomware attack costs Marks & Spencer £131.3 million directly and reduces profit by £210 million, prompting the remuneration committee to strip the CEO’s annual bonus.
The Scattered Spider group’s cyberattack on Marks & Spencer in April 2025 resulted in direct costs of £131.3 million. Chief Executive Stuart Machin therefore receives no annual bonus for 2025/26 — a rare sign of accountability at C-level.
Marks & Spencer suffered a massive cyberattack by the Scattered Spider ransomware group in April 2025. The attack severely disrupted the online business: the webshop and smartphone app were completely shut down. Operational restoration of e-commerce operations was not completed until 12 August 2025 — four months after the attack. In physical stores, system outages caused logistics problems and inventory gaps.
The financial impact is substantial: direct costs for response, recovery, and system remediation amounted to £131.3 million (approximately $174.5 million USD). The group’s annual profit fell from £881.1 million in the prior year to £671.4 million — a decline of around £210 million. The remuneration committee concluded that a bonus payment for fiscal year 2025/26 could not be justified.
Stuart Machin, Chief Executive, received total remuneration of £3.968 million for fiscal year 2025/26 without bonus — in the prior year it totalled £7.047 million including a bonus of £1.635 million. While the committee acknowledged the commitment of staff and management during the crisis, it declined to make an additional payment. The rationale was that, given the financial losses and the experience of shareholders, a bonus payment would not be appropriate.
The incident highlights the potential consequences of security gaps at board level and in corporate governance. Scattered Spider ranks among the most active ransomware extortion groups and has repeatedly targeted major retail companies in the past. The conclusion relevant for CISOs: large-scale operational outages such as a four-month-long e-commerce downtime directly impact management compensation — a leverage point that can strengthen board-level support for cybersecurity budgets and incident response.
Source: www.it-daily.net · Published 5 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.