M&S Cyber Attack Boosts Profits of Rival Retailer Next

The cybersecurity world has long measured risk through familiar metrics: regulatory fines, incident containment costs and stolen data volumes.

The 2025 M&S cyberattack, however, is forcing a reckoning with a more insidious variable – competitor capitalisation.

Rival retailer Next has lifted its annual profit forecast for the fourth time, projecting pre-tax earnings above £1.1bn (US$1.4bn) and directly attributing the uplift to “competitor disruption”.

That phrase masks the fallout from the April 2025 breach that paralysed M&S operations, freezing digital orders and shutting down click-and-collect services. 

It wasn't until June that M&S restored home delivery across its fashion range – by which point the retailer had already forfeited roughly US$400 million in sales.

In retail, two months can feel like a lifetime.

Customers rarely stay loyal when convenience falters – they move on.

Consumer analyst Kate Hardcastle told the BBC that as M&S grappled with its operational crisis, Next “picked up the benefit” of shoppers forced to look elsewhere.

“Some of the success this year has certainly come from Marks and Spencer's very challenged times with its cyber attack,” she said. “They were on a huge fight back in terms of their apparel department.”

M&S cyber attack: A systemic vulnerability

The M&S breach stands as a stark reminder of the retail sector’s systemic exposure.

Fresh data from commercial insurer NFU Mutual shows that nearly three in five retailers – 63% – have already faced a cyberattack.

The threat shows no sign of easing, with 16% reporting incidents in just the past year.

Despite the magnitude of the M&S cyberattack, the issue extends far beyond large corporations.

NFU’s data indicates that one in three small businesses has fallen victim to cybercrime.

Yet, a clear divide remains between understanding the risk and acting on it.

While 17% of firms list cyberattacks among their top concerns, more than one in seven confess to having taken no concrete measures to defend against them.

“Small businesses are increasingly reliant on digital tools, but often lack the resources to defend against cyber crime,” warns James Trevis, Cyber Specialist at NFU Mutual. “This makes them prime targets.”

The latest State of Information Security Report from IO exposes a widening “confidence gap” in cybersecurity.

Although 97% of UK and US security leaders say they trust their breach response capabilities, 61% still experienced a third-party or supply chain attack in the past year.

The M&S incident underscores the cost of that misplaced confidence.

According to the IO report, fallout from such breaches commonly includes “temporary system outages or operational disruption” (33%) and “customer or partner churn and loss of trust” (36%).

This is where the true risk lies.

“Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” says Chris Newton-Smith, CEO of IO, formerly ISMS.online.

This confidence, he adds, “needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances and operations.".

The new cyber risk model

The M&S–Next dynamic should prompt a fundamental rethink of how organisations assess the true cost of a cyberattack.

That calculation must now account for the lasting transfer of market share to competitors, the expense of winning back customers who have settled into rival ecosystems and the enduring revenue shortfall created by those gains.

The defining lesson of 2025 is that cybersecurity vulnerability is no longer a theoretical risk but a strategic blind spot.

The IO report’s revelation that 97% of leaders are “very confident” in their breach response, even as 61% suffered supply chain attacks, highlights this confidence gap as a critical threat.

It is the divide between perception and reality that enables competitors to exploit a rival’s moment of weakness.

As James says: “Action on cyber risk is not a luxury; it’s essential for protection.”

“To close the confidence gap, leaders must focus on people and process,” concludes IO’s Chris Newton-Smith, “putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links.”