M&S chief technology officer (CTO) Josie Smith is stepping down 18 months after joining the company and nine months after the cyber-attack that wiped out more than half the company’s profit in 2025.
Sky reports the news was disclosed in an internal memo to M&S staff. Smith’s departure comes four months after Rachel Higham, M&S’s chief digital and technology officer, also left the business. No reason for their departures has been formally disclosed, but their decision to leave soon after such a traumatic event shows the stress retailers and their security teams face as they navigate an increasingly challenging and hostile cyber landscape.
What happened to M&S?
The ransomware attack in April by a group of hackers known as Scattered Spiders wiped around £229 million from M&S’ profits, despite a £100 million insurance payout. The attack caused significant disruption and exposed customer data. Online orders were suspended for six weeks, and automated stock and logistics systems shut down. Stores had to revert to manual processes, leaving shelves bare. Fashion, Home & Beauty were particularly affected, plunging 16.4% in the six months leading to 27 September 2025.
Nine months after the attack, the ramifications are still being felt. In its January financial report, despite a successful Christmas with group sales up 24.2% to almost £5 billion, M&S reported a fall in like-for-like clothing sales, which it blamed on “the long tail” effects of the cyber-attack.
More cyber attacks on retailers expected
M&S was not alone in being targeted by cybercriminals. Harrods, Co-op and Jaguar Land Rover also experienced significant disruption after cyber-attacks last year. Seventy-one percent of UK businesses paid a ransom to cybercriminals last year, according to research by security experts Cohesity. Yet, Cohesity’s research found that nearly half of British firms still believe their cybersecurity is watertight.
“Most organisations are still misjudging the true material impact of cyberattacks; from recovery costs and the effect on earnings and stock price to legal, regulatory, and compliance consequences,” said Fraser Hutchison, VP Northern Europe at Cohesity. “Even large, well-known brands fall victim to attacks with state-of-the-art technology for threat detection and prevention in place.”
With the average UK ransom estimated at £1,051,000, according to Cohesity’s data, British retailers cannot afford to be complacent. It is no longer a case of ‘if’ cybercriminals might strike, but ‘when.’ Cybersecurity projections for 2026 point to an increase in attacks on retailers by hackers, driven by AI-powered automation and supply chain vulnerabilities.
The pressure on retailers and their cyber security teams is immense. As cybercrime grows more sophisticated and costly, M&S’s experience is a stark reminder that resilience is not just a technology challenge; it is a leadership and cultural one too.
Stay informed
Our editor carefully curates two newsletters a week filled with up-to-date news, analysis and research. Click here to subscribe to the FREE newsletter sent straight to your inbox. Why not follow us on LinkedIn to receive the latest updates on our research and analysis?
