Unusual activity on tech systems over the Easter weekend was the first sign of a sustained cyber-attack on Marks & Spencer, which is costing the retailer millions of pounds a day.
The group, the UK’s biggest clothing retailer which accounts for a third of underwear sales alongside food and homewares, has now been forced tostop taking online orders for more than a week– with little hope of rebooting them in the short term. Stores are struggling to keep shelves full with automated stock systems offline and at one point this week staff were manually checking fridge temperatures owing to concerns about digital monitoring systems.
As the chief executive, Stuart Machin, urged shoppers to head into M&S stores this weekend, industry insiders have suggested it could take weeks to get the retailer’s website back online and perhaps months before all systems are running – suggesting a big hit to short-term profits and service.
One source said: “It’s going to take some time but each day that passes they get more systems up.”
After days of disruption, contactless payments and gift cards are now being accepted, refunds are possible and returns are being processed in clothing and homeware stores. It is also possible to pick up online orders made before 23 April. The Sparks loyalty scheme remains disrupted.
M&Sfirst reported problemsat Easter, when it stopped taking click-and-collect orders and its contactless payments were affected. While those have restarted, problems continue across the business: it had topause deliveries of some packaged food items to Ocado, the online grocery specialist it co-owns.
The Metropolitan police have confirmed they and the National Crime Agency are investigating a cyber-attack, which has been linked to a hacking collectiveknown as Scattered Spider.
Meanwhile, with automated systems down, staff must physically check what is available in store stockrooms and are unable to tell customers if items they want are available in nearby stores.
Staff say on online forums that they were forced to fill several bins with food waste last week as donations to charity were briefly disrupted. The IT problems had caused difficulties in making price reductions to clear food that is not selling. “The amount of waste is immense,” one staff member posted. It is understood food donations have now restarted.
Emphasising the scale of the problems, one member of staff posted earlier this week that “it’s easier to list the things that work than the things that don’t”, as first reported by the Grocer trade journal.
At the retailer’s flagship store on London’s Oxford Street, there were gaps on shelves in the grocery department this week, especially on packaged goods such as biscuits, cleaning products and tea, and very limited sizes on popular clothing lines with some rails only holding a handful of sizes 16, 18 and 20.
Still, shoppers were largely impressed by the professional service of workers in difficult circumstances – reflecting hundreds of mostly glowing reviews online. Some shoppers had not even noticed any problems in stores.
Stacy Thompson, 45, said she had popped in after four or five days of trying to order what she wanted – some bed linen – online. She was philosophical about her trip to the store: “I like the high street and we need to bring it back. It’s annoying for M&S and the fact that I have had to come in, but convenience [of home delivery] has caused a lot of problems and maybe we should come to a shop.”
Dennis Bostock, 55, who always shops in person as he finds using technology difficult, said he was weighing up whether to walk to another M&S to find out if they had the particular shirt he was after as store staff were unable to find out automatically with systems down. “I’m frustrated as I really wanted that shirt,” he said. “I probably won’t go down the road as it is too hot.”
M&S clothing and home sales online are worth about £3.8m on an average day, underlining why the retailer was “working day and night” to fix the issues, according to Machin.
Fears about the potential impact on the business have now wiped almost £750m off the value of the retailer since the Easter bank holiday. The share price fell again on Friday.
Analysts at Deutsche Bank estimate the attack has already sliced £30m off M&S’s annual profits and will continue to hit the retailer by £15m a week. A big chunk of the initial £30m is likely to be covered by insurance, but that is time-limited, so that the longer the problems persist, the more costly they will be for the retailer.
Adam Cochrane, a retail analyst at DB, said there was no evidence of any customer data being hacked and “combined with a very robust consumer feeling towards M&S (including social media reports of consumers diverting their spend towards M&S as a show of solidarity), we see no long-lasting damage to the brand.”
“M&S is firmly on the right track, in our view, and we see the shares bouncing back when the incident is resolved,” Cochrane said in a note.
Kate Calvert, a retail analyst at Investec, agreed that the brand was unlikely to face long-term damage with industry data indicating that the retailer had been performing ahead of expectations before it had “hit a brick wall” when the hack took place.
On Tuesday, analysts at the market research company Kantar revealed that spending on groceries at M&S rose by 14.4% in the 12 weeks to 20 April – just before the cyber-attack.
She said M&S was not expected to update the market on any profits hit before its full-year results on 21 May. She suggested it would be difficult for M&S to give an assessment of the outlook until it had a clearer idea of how long the problems could take to fix and to what extent sales had been completely lost – rather than diverted into stores or delayed.
Calvert said M&S was “incredibly well capitalised”, so that it had plenty of funds to ride out the problems and the cyber-attack was “not going to damage the longer-term business”. “Come a year’s time it won’t be noticed,” she said.
However, rival businesses are urgently reviewing their tech security systems amid fears that they could be next after hits on the Co-op and Harrods emerged in recent days.
Sign up toBusiness Today
Get set for the working day – we'll point you to all the business news and analysis you need every morning
after newsletter promotion
The Co-opshut off parts of its IT systemsafter an attempted hack, and the luxury department store Harrodssaid on Thursdaythat it had also had to power off some systems.
The government-backed National Cyber Security Centre (NCSC) said it was working with the affected companies but told all UK businesses that the incidents“should act as a wake-up call”on the importance of having measures in place to protect against and respond to attacks.
One retail insider said “everyone is clearly on a war footing” and there was “a lot of sympathy” with M&S’s situation.
Another said the NCSC had been “sharing learnings” from M&S’s experience with other businesses so they could check over their systems. M&S and the Co-op use the SAP software system, which is widely used across UK retail.
“It is a scary case study,” said one retail executive.
Scattered Spider’s alleged involvement has not been confirmed and there is no public evidence that the trio of retail attacks was carried out by the same assailant.
Toby Lewis, head of threat analysis at cybersecurity firm Darktrace, said coincidence could not be ruled out. However, Scattered Spider had a record of gaining access to one supplier through its supply chain then reusing that technique and access to attack other retailers using the same supplier, he said.
“If Scattered Spider are behind the M&S attack, it’s likely we’re seeing them opportunistically reuse their access on other retailers,” he said.
According to the same report thatattributed the attack to Scattered Spider, the attackers used malicious software called DragonForce –developed by a “cartel” with the same name– to cripple M&S systems under a ransomware-for-hire arrangement. The BBC reported on Friday that a group naming itself DragonForce had claimed responsibility for the three attacks and hadobtained the personal data of Co-op members, although Scattered Spider members could ultimately be deploying the malware.
Normally, evidence of M&S data being stolen would then appear on DragonForce’s website, a service offered to hackers as part of the “ransomware as a service” arrangement. However, the site was not working as of Friday afternoon after a dispute with a rival ransomware group.
The attackers may not contact M&S directly but normally leave a ransomware note on the victim’s IT system. Hackers often prefer to conduct communications via Tox, an encrypted messaging service, according to the cybersecurity firm Secureworks.
Ransomware gangs are known to put examples of stolen data on a “leak site” in a bid to gain leverage over their victim, although in the case of the M&S attacker this could be difficult.
This is unlikely to stop the M&S attackers from attempting to open negotiations, according to Aiden Sinnott, a security researcher at Secureworks.
Sinnott said the situation was probably at the negotiation stage, where the hacker attempts to secure a “ransom” paid in cryptocurrency to reinstate encrypted files or return stolen data. Negotiations are often carried out by specialist professionals brought in for that purpose.
“It’s not always about negotiating a price,” said Sinnott. “The main aim can be buying time: allowing your incident response team to recover as much of the system as possible.”
For M&S, every day costs millions more pounds in lost sales.