Marks & Spencer has said the fallout from their major cyber attack will cost the company £300 million and last for several more weeks after the attack left shelves empty in some stores and online orders unfulfilled.
The British high street retailer took systems offline after being targeted by hackers around the Easter weekend – a move which is now having a knock-on effect on its operations.
The Metropolitan Police confirmed detectives from the force’s cyber crime unit launched an investigation which remains ongoing.
Marks & Spencer is also working with experts from both the National Crime Agency and the National Cyber Security Centre, with the former telling The Independent that the two groups were working “to better understand the incident and support the company”.
The ongoing disruption raises questions about the nature of the incident and the company’s recovery process.
Here is a closer look at what has happened, and why it has taken the firm so long to recover.
What has happened to Marks & Spencer?
The retailer has been struggling with its internal services for more than a week after being hit by what it is calling a “cyber incident” over a week ago.
The incident first affected the firm’s contactless payment and click and collect orders, before M&S then paused online orders through its app and website. These have remained down since.
In addition, some M&S stores have now been left with empty shelves.
A spokeswoman for M&S said on Tuesday that it had taken some of its system “temporarily offline” as part of its “management” of the incident, and this had meant “pockets of limited availability” in some stores.
On Wednesday, the Metropolitan Police confirmed it was investigating the incident.
How long will disruption last?
Marks & Spencer has said disruption from the cyber attack is expected to continue through to July.
The retailer revealed on Wednesday morning that online sales and profits in its fashion, home and beauty business have been “heavily impacted”.
Disruption to online operations is set “to continue throughout June and into July as we restart, then ramp up operations”, it said.
It added that clothing and home sales have been “resilient” in stores and shoppers will see improvements over the coming weeks.
Meanwhile, food sales were affected by reduced availability but the business stressed this is “already improving”.
What was taken in the cyber attack?
Customer personal data, which could have included names, email addresses, postal addresses and dates of birth, was taken by hackers in the attack.
A statement on their website tells shoppers: “As we continue to manage the current cyber incident, we have written to customers to let them know that unfortunately the nature of the incident means some personal customer data has been taken.
“Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.
“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S.com account on our website or app, and we have shared information on how to stay safe online.”
Has anyone claimed responsibility for the attack?
A hacking cartel calling themselves DragonForce told the BBC it was behind the attack as well as similar hacking attempts on the Co-Op and Harrods.
The group originated as a pro-Palestine hacktivists allegedly based in Malaysia that has been active since August 2023.
DragonForce are believed to have expanded their hacktivism to ransomware operations claiming to have attacked Coca-Cola, the Ohio State Lottery and even Yakult Australia. Previous DragonForce operators seemed to be non-native English speakers.
Ransomware incidents involve hackers gaining access to a computer system and using malware to steal or block access to files – often encrypting them – before demanding a payment, usually in cryptocurrency, to return the impacted data.
Reporting by Bleeping Computer, suggests other links to Scattered Spider, a financially motivated threat group of native English speakers, likely including teenagers based in the UK or the US.
Many cybersecurity experts, and the official advice in the UK, urge organisations not to make ransom payments in incidents like this, because there is no guarantee that the hackers will return the stolen data, and making payments can help criminal enterprise and encourage others to carry out similar attacks in the future.
Can you still shop online?
No, the retailer has paused all online transactions, purchases on apps and over the phone but welcomes shoppers to browse online before making in-store purchases.
What happens to outstanding orders?
Marks & Spencer has been telling customers that orders placed after April 23 would be cancelled and refunded.
The retailer added you should wait for your “ready to collect” notification email before turning up at a store after shoppers complained on social media of not receiving pre-ordered items.
What have M&S bosses said?
Chief executive Stuart Machin described the incident as a “bump in the road” and said he hopes the company will come out “in a better shape”.
Mr Machin said: “It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business.
“There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.
“This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders.”
What have cybersecurity experts said?
Dan Coatsworth, Investment Analyst at AJ Bell, said: “The £300 million expected impact of Marks & Spencer’s cyber-attack on profits shows the severity of the situation. It suggests hackers have caused considerable damage to the company from a financial and reputational perspective.
“Marks & Spencer has lost a significant number of sales after temporarily halting online orders. Disruption to supplies meant gaps on the shelves and more lost sales in-store. It has also incurred extra waste and logistics costs, all having a negative impact on profit.
“The fact online operations might not be back to full power until later in the summer means the company still cannot achieve full earnings potential for some time to come. Marks & Spencer will be able to lower the total hit to profit once it claims on insurance, among other factors, but the cyber-attack has still knocked the business for six.
“There’s still a big unknown regarding any potential fines on Marks & Spencer from the Information Commissioner’s Office (ICO), which enforces data protection regulation.”
He added: “Shoppers may eventually forget about the cyber-attack, but Marks & Spencer can take no chances in the near term. It needs to be on the ball, get customers back on side, and ensure its systems are as secure as Fort Knox.”
Will there be legal action following cyber attack?
Thompsons Solicitors will this week launch a class action suit against the company which could result in huge compensation payouts, according to the Daily Record.
Senior partner Patrick McGuire told the paper: “We have a situation here where one of the most famous retailers in the UK have allowed criminals to pillage the personal details of hundreds of thousands of Scottish customers.
“We have been inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons given our experience in this area.
“I think this will be the biggest data theft case we have ever been involved in.”
