Bengaluru — A month after a costly cyberattack on one of Britain’s best known retailers, Marks & Spencer has yet to restore online shopping as it prioritises safety over speed, while retailers worldwide race to boost their defences.
The attack on the 141-year-old M&S, has likely already cost it over £60m in lost profit, according to analysts. It has also wiped over £1bn from M&S’s stock market value.
Hackers have also hit the Co-op and Harrods in Britain, and Google said last week those responsible were targeting US companies.
So far, M&S has been positively surprised by customers’ willingness to shop in-store instead of online, one person with knowledge of M&S’s response to the attack told Reuters, though it is also nervous patience will run out.
The person said systems were being brought back online every day, but that the company was prioritising safety over speed.
The person, who asked not to be named because of the sensitivity of the issue, did not know when online clothing ordering would resume.
M&S has said very little about the cyber-incident that it disclosed on April 22.
Three days later it stopped taking clothing and home orders through its website and app, and it said last week some personal customer information was stolen in the hack.
Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay — after government advice — and was working to reinstall all of its computer systems.
An M&S spokesperson declined to comment on the cyberattack, saying the company has been advised not to.
As systems were taken offline, some clothing, home and food products became unavailable in stores.
By Thursday, M&S’s stock forecasting system for food was operating again, restoring normal flows from distribution centres to stores. It said availability was “looking better every day”.
Neil Thacker, global privacy and data protection officer at cybersecurity company Netskope, said M&S was right to take its time. “They want to get it right, (so) that they recover to a better state than perhaps they were in previously,” he said.
A hacking collective known as Scattered Spider that deploys ransomware from a group calling itself DragonForce, has been blamed in the media for the attack.
One source said at least two Tata Consulting Services employees’ M&S logins were used as part of the breach.
TCS, which provides IT services to the retailer and manages its help desk, declined to comment.
Two CEOs of UK retailers, a former retail CEO and other retail and cyber-industry sources told Reuters that all companies were urgently reviewing their security systems.
For M&S, which had traded strongly before the cyberattack, the concern will not only be lost business and stock market value, but the risk of lasting damage to a brand that YouGov ranked as Britain’s best last year.
Tracey Woolf, a 62-year-old interior designer, said on Wednesday she was looking for trousers for her father at rival Next as she could not order them online from M&S and staff had been unable to say whether they were available in stores.
“I just think a big company like that, that’s been going all those years, should be on it by now,” she said outside a large M&S store in Stratford, east London.
M&S, which has about 64,000 staff and 565 stores, has declined to quantify the financial impact so far as it misses out on sales of new season ranges. Online sales usually contribute about one-third of clothing and home sales.
One UK retail CEO gave an insight into what M&S might be thinking. He said M&S had likely believed it could restore data and rebuild its systems without incurring too big a financial hit. But a month in, that gamble was now “getting interesting”.
He said the risk would be, if M&S now decided to pay the ransom, the hacker would know M&S is in trouble and could raise the price. And when dealing with criminals, there is no guarantee systems would be restored.
The retail CEO said he knew of one hacked UK retailer he did not name who paid a £10m ransom and got systems back.
As the crisis drags on, M&S’ problems will mount.
Analysts said store staff had worked hard to keep the business trading, but morale would suffer unless management can give them some timescale for a return to normal business.
M&S may have also made commitments to brands that trade on its website that it may not be able to keep.
As of Tuesday, Investec analyst Kate Calvert estimated about £68m of online orders would have been lost and another £17m if online ordering is still down on May 21 when M&S reports annual results.
Given the need for M&S to revert to more manual processes, labour costs and food wastage costs are also likely to have jumped, and the group faces the prospect of a larger than normal end of season clothing sale with deeper discounts to clear stock, potentially damaging profit margins.
Analysts at Deutsche Bank estimate a profit hit run rate of about £15m a week. They said cyber-insurance would likely cover most of the impact but that is generally time limited.
Other British retailers just hope they will not be the next.
“If it can happen to M&S, it can happen to anyone,” Thacker said.
Reuters
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.