What: M&S faces potential £100mn cyber insurance claim following major data breach that has paralysed online operations and impacted store inventory management

Why it is important: This unprecedented insurance claim highlights the escalating financial impact of cyber attacks in retail, forcing the industry to reassess security investments and risk management strategies.

Marks & Spencer is grappling with a severe cyber attack that could lead to insurance claims of up to £100mn, marking one of the largest such payouts in UK retail history. The breach has compromised customer data, including contact details, birth dates, and online order histories, though payment information remains secure. The attack's impact extends beyond digital channels, disrupting online orders for almost three weeks and affecting stock availability in food stores. The financial implications are substantial, with lost revenues potentially exceeding £60mn and a 16% drop in share price wiping £1.3bn off the company's market value. Allianz, as the primary insurer, is expected to cover the initial £10mn, with specialist insurer Beazley also exposed to losses. The incident has broader implications for the retail sector, potentially doubling M&S's annual insurance premium of £5mn upon renewal unless significant security improvements are demonstrated.

IADS Notes: The M&S cyber attack in April 2025 marks a critical escalation in retail cybersecurity threats, with the Scattered Spider group disrupting £3.5mn in daily digital sales. This incident triggered a chain reaction, as both Harrods and Co-op suffered similar attacks by May 2025, with Co-op's breach exposing data of up to 20 million customers. The wave of attacks has transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector, reversing the previous trend of declining rates. These developments reflect broader industry vulnerabilities, as ransomware now accounts for 30% of retail security incidents, with average losses reaching £1.4mn per attack.

M&S cyber insurance payout to be worth up to GBP 100mn