M&S boss pay reaches £7 million despite cyber attack disruption

Marks & Spencer chief executive Stuart Machin received a total compensation package of £7 million for the year ending March 2025, representing a 39% increase from the previous year, despite a devastating cyber attack that knocked out online operations for six weeks

The substantial pay rise, driven primarily by performance-related share awards worth £4.5 million, came before the April cyber incident that is expected to cost the retailer up to £300 million in lost sales and operational disruption. Machin’s base salary increased modestly to £843,000, with bonuses totalling £1.6 million.

The cyber attack, attributed to the ransomware group DragonForce working with Scattered Spider, crippled M&S’s digital operations during crucial trading periods. The breach began through a sophisticated impersonation campaign targeting a third-party provider, allowing hackers to gain access and deploy ransomware across customer-facing platforms and internal systems.

M&S chairman Archie Norman acknowledged that the company could have done more to prevent the attack, which affected online shopping, click-and-collect services, contactless payments, and stock management systems. The retailer had doubled its cyber insurance coverage the previous year, employing an 80-strong cybersecurity team and investing millions in security infrastructure.

The company’s remuneration committee stated that it had considered the cyber incident when determining performance-linked pay but concluded that no adjustments were necessary for the current year. However, it indicated that the attack’s financial impact would be “revisited” when assessing next year’s compensation packages.

Recovery efforts have progressed gradually, with approximately 50% of online operations restored by July. Management expects full operational capability to return by August, though some services including next-day delivery and comprehensive click-and-collect remain suspended. The incident has been used as an opportunity to accelerate digital transformation plans.

The attack highlighted broader vulnerabilities in corporate cybersecurity infrastructure, with Norman calling for mandatory reporting of cyber incidents across all businesses. He revealed that two other large British companies had experienced unreported attacks in recent months, keeping customers uninformed about potential data breaches.

The hackers sent abusive ransom demands directly to senior executives, bragging about their attack and claiming to have stolen data from millions of customers. The email, written in broken English and containing racist language, confirmed for the first time that M&S had been targeted by the DragonForce group.

The incident represents one of the most severe cyber attacks on a major UK retailer this decade, demonstrating how even well-prepared companies with significant security investments remain vulnerable to sophisticated social engineering tactics.