Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The boss of Marks and Spencer faces a hit to his pay package of as much as £1.06mn after a sustained cyber attack knocked the UK retailer’s shares down by more than a tenth.
Stuart Machin, who was appointed chief executive in 2022, is expected to lose about £831,000 on a performance share plan and £233,000 on a deferred bonus awarded the same year and which vest in July. Both have been affected by the 14 per cent fall in M&S’s share price since it disclosed the hacking incident on April 22.
The share price drop has slashed the awards to £5.06mn and £1.42mn respectively, as of close of trading in London on Friday.
Machin is also nursing paper losses of about £1.4mn from his remaining shares held under long-term incentive plans and through deferred bonuses, which could bring his total potential hit to date to about £2.4mn.
The FTSE 100 group said on Tuesday that some personal customer data was stolen as part of the cyber attack that has left it unable to accept online orders for three weeks and led to empty shelves in some stores.
Machin’s pay for the year to March 31 should not be hit as the cyber attack happened after the company’s financial year ended and the retailer is expected to post strong annual results.
However, board members may exercise discretion in cutting bonuses in light of the cyber attack, according to two senior remuneration advisers. They added that this year’s bonus and long-term outcomes will probably take a hit after a challenging first quarter for M&S.
Thomas Bolger, senior stewardship analyst at Minerva-Manifest, which advises shareholders, said that “the remuneration committee should probably get ahead of the fallout by signalling that they will use their discretion” although “it’s too early to say if clawback is appropriate because further investigations will need to be done”.
“It is more likely we will see an announcement next year when they report on the financial year during which the cyber security attack took place,” he added.
M&S said that Machin’s remuneration was “always based on achievement of company objectives and financial performance” and “the majority of benefits are long term and their value will always reflect the share price”.
A person close to the executive said he is not driven by his pay package and his focus was to revive the retailer’s fortunes.
The chaos of recent weeks, however, threatens to disrupt his planned turnaround.
The company reports full-year results on Wednesday and is expected to update the market on the consequences of the hack.
Analysts forecast a 17 per cent increase in profit before tax to £840mn for the year to March 31. Yet “what probably would have been a strong start to [this year], will no doubt be overshadowed by the cyber attack over Easter”, said Kate Calvert at Investec.
M&S sales were up 14.7 per cent year-on-year in the 12 weeks to April 19, according to data from NielsenIQ, days before the company disclosed the breach.
Clive Black, a retail analyst at Shore Capital, said: “What is clear to us is that this has a severe impact on first-quarter performance — hundreds of millions of pounds — and by definition a notable impact for the full year outcome for 2026.”
M&S may have lost revenues to date totalling more than £75mn, based on extrapolation of its average daily online sales, and losses could climb to about £125mn if online operations are not restarted by the end of the month, analysts said.
The attack on its systems also left M&S struggling to keep shelves stocked in some food stores, with Black estimating that roughly every 10 per cent reduction in availability results in about £15mn of lost sales per week.
“There are some people who will just not have gone to M&S because they think the availability is not there,” he added. “The glorious weather of the last seven weeks will mean that M&S will be very frustrated about the last month.”
Beyond lost sales, labour costs are likely to have shot up too as some systems were turned off and the retailer had to draft in advisers to help it restore its operations.
M&S could claim for losses of as much as £100mn from its cyber insurers, the Financial Times reported this week, bringing some relief, although some analysts do not expect this to alleviate all the pain.
Calvert said that while the management team has rightly been focusing on keeping the business running, the City will be keen to understand next week the impact on the wider transformation of the business.
Analysts at Morgan Stanley echoed those views, saying in a note this week that “the biggest risk would be if the disruption slows down the pace of M&S’s midterm transformation”.
A key part of the next phase of M&S’s turnaround, after it successfully modernised its ranges and stores and exited sites that were not lucrative, is predicated on improving back-end operations such as more automation across its distributions centres and a better shopping app — areas that have been disrupted.
Shore Capital’s Black said: “They’ve gone from a highly automated and indeed self-improving operating platform to a manual one.”
Despite this he believes M&S’s performance in the 2024-2025 financial year should be the benchmark for future results rather than the current year, blighted by its dealings with cyber criminals.
“They had an absolutely fantastic year with market share gains in food and clothing before the attack . . . healthy margins, full-price sales, very strong cash generation.”