Marks & Spencer’s chairman, Archie Norman, recently disclosed that the company narrowly avoided potential devastation from a severe cyber attack. Norman expressed that if the attack had occurred during a period of prior struggle, the outcome could have been catastrophic for the company. As a result of the cyber breach, M&S had to halt its online operations, resulting in approximately £10 million in weekly profit losses.
The ransomware incident, which occurred in late April, involved the theft of customer personal data, including names, email addresses, postal addresses, and dates of birth. It took six weeks for Marks & Spencer to resume online clothing and homeware sales gradually.
The cybercriminal group responsible for the attack, known as Scattered Spider, reportedly has ties to a ransomware creator named Dragon Force, allegedly comprising former computer gamers who turned to hacking with connections to Asia.
During a session with MPs on the Commons Business and Trade Committee, Norman refrained from confirming whether a ransom was paid, citing an ongoing investigation involving regulatory bodies and law enforcement agencies in the UK and the FBI due to the prevalence of cyber attacks in the US.
The unprecedented event forced M&S to revert to manual operational methods not utilized in three decades to sustain business operations. Nick Follard, M&S’s general counsel, emphasized the importance of being able to function without technology, advising other businesses to ensure they can operate using traditional pen and paper methods during system downtime.
Although M&S reported a 20% increase in annual profits to £875.5 million in June before the attack, it anticipates a potential £300 million reduction in future profits due to the incident. The company aims to recover a significant portion of these losses through insurance claims.
The Commons Business Committee also heard from the Co-op, which faced a similar cyber attack from the same group. The Co-op swiftly responded to limit the impact of the attack, but it still experienced disruptions in deliveries to its stores, causing shortages on shelves.
Dominic Kendal-Ward, group secretary and general counsel at the Co-op Group, warned that businesses are increasingly vulnerable to sophisticated cyber threats, emphasizing the need for heightened cybersecurity measures.
Committee chair Liam Byrne highlighted the significant impact of the cyber attacks on both Marks & Spencer and the Co-op, underscoring the pervasive threat faced by all businesses. He stressed that the breach should serve as a wake-up call, as no organization is immune to cyber threats, making robust defenses and preparedness crucial in today’s digital landscape.