Marks & Spencer Warns April Cyberattack Will Cut $400M from Profits
The U.K. department store chain Marks & Spencer has revealed that a devastating cyberattack in April will have a significant impact on its profits, warning that the attack will shave $400 million (300 million British pounds) off of its group operating profits.
The company's CEO, Stuart Machin, stated during a prerecorded presentation as part of the company's fiscal-year earnings report that April started strong, continuing the momentum from last year. However, over the Easter break holiday, it became clear that M&S was facing a highly sophisticated and targeted attack.
Disruptions to Online Transactions
The cyberattack has disrupted online transactions through July, with online sales and trading profits for fashion, home and beauty products suffering as a result of the company's need to temporarily reduce online shopping services. Department stores, on the other hand, have remained resilient during the recovery process.
Impact on Food Sales
The attack affected food sales due to reduced availability, highlighting the vulnerability of the food retail sector to cyberattacks. The impact was felt across various aspects of M&S' business operations, underscoring the need for robust cybersecurity measures to protect against such attacks.
Accelerating Technology Improvement Plan
In light of the need to prevent another disruption, M&S now plans to accelerate a technology improvement plan from a two-year time frame to a six-month time frame. The company outlined plans to improve its technology stack in 2023, including investments in infrastructure, network connectivity, store technology, and supply-chain systems.
Cybersecurity Experts Weigh In
Cybersecurity experts believe that the M&S attack was the work of the notorious cybercrime gang Scattered Spider, a group best known for hacking MGM Resort in 2023. The same hackers also breached the famed U.K. department store Harrods and the major U.K. supermarket company Co-op between mid-April and early May.
Google threat intelligence researchers have warned that the same group is now targeting U.S. retailers, highlighting the global reach of such cyberattacks. "Time and time again, we see that business disruption is one of the most immediate and devastating effects cyberattacks can have," said Allie Mellen, principal analyst at Forrester.
Long-Term Consequences
Legal experts say that the fallout from this attack may affect M&S for years to come. "A challenge for any business dealing with a major breach is the opportunity cost created by the distraction from business as usual," said Jo Joyce, a partner who co-leads the U.K. and Ireland cyber law practice at Taylor Wessing.
"New initiatives and launches will be delayed or canceled, and the business will likely be significantly behind in its plans," Joyce added. The company's reputation and customer trust are also at risk of being compromised, underscoring the need for swift action to address the issue.