Marks & Spencer says it has been managing a “highly sophisticated cyber incident”, with staff working “around the clock with suppliers and partners to contain the incident and stabilise operations”
Marks and Spencer has warned the cyber attack which has paralysed its online sales for a month could wipe around £300million off its annual profits.
The huge hit – which is before factoring in what it may get back through insurance – doe not include the blow to takings.
It said: “In the light of the recent cyber incident, we are using the disruption to bring forward investment, rephasing the original programme, accelerating plans to upgrade infrastructure and network connectivity, store and colleague technology, and supply chain systems.
“This will reduce the inter-dependency of systems and improve operational resilience.” However, there was no update on what its online sales would be restarted.“
Boss Stuart Machin said: “Over the last few weeks, we have been managing a highly sophisticated and targeted cyber attack, which has led to a limited period of disruption. We have tackled this head on with incredible spirit, teamwork and deep sense of responsibility as we prioritised serving our customers.
“It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting thisperiod a much stronger business. There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.”
He went on: “Over the last 140 years, M&S has overcome many challenges – testament to the longevity of this brand. This incident isa bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders.
“I would like to thank all of our colleagues and supplier partners for their hard work and dedication and, importantly thank our customers. They have been unwavering in their support, and we are incredibly grateful for their patience and trust in M&S.”
It came as M&S revealed profits jumped 22.2% at £875.5million in the year to April – highest in over 15 years – but before the cyber attack emerged.
M&S’s online clothing sales have been paralysed since April 25. A message on its website reads: “As part of our proactive management of a cyber incident, we have made the decision to pause taking orders via our M&S.com websites, apps and over the phone.”
Days earlier – on April 22 – the company revealed it had suspended contactless payments in store because of a “cyber incident”. They resumed soon after.
Online has become an increasingly important to M&S – as for other retailers – and had more than nine million “active” customers and almost £1.3billion of sales in its previous financial year.
The saga has also hammered M&S’s reputation – and share price – just as it was recovering after many years of failed overhauls. More than £1billion has been wiped off its stock market value since the attack was first revealed. Reports say M&S has been positively surprised by customers’ willingness to shop in-store instead of online, although it is also nervous patience will run out.
M&S is among a wave of companies struck by ransomware – a form of malicious software designed to burrow into companies’ systems, steal commercially sensitive information, which is then locked, with crooks demanding their victims pay money before handing them the key.
Neil Thacker, global privacy and data protection officer at cybersecurity company Netskope, said M&S was right to take its time. “They want to get it right, (so) that they recover to a better state than perhaps they were in previously,” he said.
Shoppers have been warned another potentially crippling cyber attack on a British retailer is “inevitable”. Graeme Stewart, head of public sector at security company Check Point, said attempted ‘ransomware’ attacks on UK retailers had surged in the past two months, with the sector going from the twelfth most targeted to fifth.
The top four, ominously, are all in the public sector, typically higher education, the NHS, local government and the Ministry of Defence. Asked if it was inevitable that another retailer would fall prey to cyber attackers, Mr Stewart said: “Yes, because what happens with these sorts of things is that they come in waves.”
Police are investigating the attack on the M&S, as well as the Co-op and Harrords. The focus is a notorious group of hackers calling itself Scattered Spider, which is believed to include members – some in the UK – as young as 16.
“We are looking at the group that is publicly known as Scattered Spider, but we’ve got a range of different hypotheses and we’ll follow the evidence to get to the offenders,” Paul Foster, head of the NCA’s national cyber crime unit, said in a new BBC documentary. In light of all the damage that we’re seeing, catching whoever is behind these attacks is our top priority,” he added.