Marks & Spencer's Slow Recovery From Cyberattack Puts it at Risk of Lasting Damage
A month after a costly cyberattack on one of Britain’s best-known retailers, Marks & Spencer (M&S) has yet to restore online shopping as it prioritizes safety over speed. The attack on the 141-year-old M&S has likely already cost it over 60 million pounds ($80 million) in lost profit, according to analysts.
Hackers have also hit the Co-op and Harrods in Britain, and Google said last week those responsible were targeting U.S. companies. So far, M&S has been positively surprised by customers’ willingness to shop in-store instead of online, one person with knowledge of M&S’s response to the attack told Reuters.
The person said systems were being brought back online every day, but that the company was prioritizing safety over speed. The person did not know when online clothing ordering would resume. M&S has said very little about the cyber incident that it disclosed on April 22. Three days later it stopped taking clothing and home orders through its website and app, and it said last week some personal customer information was stolen in the hack.
Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay – following government advice – and was working to reinstall all of its computer systems. An M&S spokesperson declined to comment on the cyberattack, saying the company has been advised not to.
As systems were taken offline, some clothing, home and food products became unavailable in stores. By Thursday, M&S’ stock forecasting system for food was operating again, restoring normal flows from distribution centers to stores. It said availability was “looking better every day.”
A Delicate Balance: Safety Over Speed
Neil Thacker, global privacy and data protection officer at cybersecurity company Netskope, said M&S was right to take its time. “They want to get it right, (so) that they recover to a better state than perhaps they were in previously,” he said.
A hacking collective known as Scattered Spider that deploys ransomware from a group calling itself DragonForce, has been blamed in the media for the attack. One source told Reuters that at least two Tata Consulting Services employees’ M&S logins were used as part of the breach. TCS, which provides IT services to the retailer and manages its help desk, declined to comment on the incident.
Retailers Rush to Boost Defenses
Two chief executives of UK retailers, a former retail CEO and other retail and cyber industry sources told Reuters that all companies were urgently reviewing their security systems. For M&S, which had traded strongly before the cyberattack, the concern will not only be lost business and stock market value, but the risk of lasting damage to a brand that YouGov ranked as Britain’s best last year.
Tracey Woolf, a 62-year-old interior designer, said on Wednesday she was looking for trousers for her father at rival Next NXT.L as she could not order them online from M&S and staff had been unable to say whether they were available in stores. “I just think a big company like that, that’s been going all those years, should be on it by now,” she said outside a large M&S store in Stratford, east London.
The Financial Impact
M&S, which has about 64,000 staff and 565 stores, has declined to quantify the financial impact so far as it misses out on sales of new season ranges. Online sales usually contribute around one-third of clothing and home sales. One UK retail CEO gave an insight into what M&S might be thinking.
"M&S had likely believed it could restore data and rebuild its systems without incurring too big a financial hit. But a month in, that gamble was now “getting interesting.” He said the risk of cyber insurance coverage would run out soon, potentially leaving M&S with significant losses.
A Warning to Other Retailers
Analysts at Deutsche Bank estimate a profit hit run rate of about 15 million pounds a week. They said cyber insurance would likely cover most of the impact but that is generally time limited. Other British retailers just hope they will not be the next. “If it can happen to M&S, it can happen to anyone,” Thacker said.