Marks & Spencer (M&S) has disclosed that it expects to take a hit of around £300m in worthless profit following a recent complex cyber theft – the highest disclosed financial impact of a cyber incident on a UK company to date.
The attack, which took place over the Easter weekend, left the retailer unable to operate its online systems, including its online store, mobile app, and click-and-collect services, as well as internal staff applications and supply chain systems.
The extensive disruption has resulted in visible empty shelves in some of their stores across the country, and online sales for its fashion, home and beauty branches have dramatically plunged.
The nature of the attack remains unclear, but reports indicate that it was ransomware-related, potentially involving the “Scattered Spider” group that reportedly utilized the DragonForce ransomware-as-a-service platform. It is unclear whether a ransom was paid by M&S to the attackers.
The breach at M&S, which operates 1,043 stores worldwide, began with a social engineering attack targeting employees of the third-party supplier, according to a recent finance update, as “human error” M&S Chief Executive Stuart Machin described the vulnerability. In a reaction to the towering financial and operational fallout, which will be seen rippling through its online shopping until July, M&S is hastening digital transformation plans.
The company aspires to accomplish its planned two-year digital revamp in an ambitious six months in order to ramp up its cyber defense setup and improve its digital infrastructure.
However the company insists that its ten-year plan remains in place, despite the hiccup, and the incident will, ultimately, help the company speed up the technological transformations it requires.
But market analysts are warning that the shock of the disruption and the use of scarce resources for immediate recovery might test the aggressive timetable for the digital overhaul of the marketplace and put the transformation it envisions in jeopardy. The task of regaining customer trust and securing Web-based operations are two more big challenges in the months ahead.
Although M&S is attempting to offset the £300m hit to with cost-cutting measures and insurance pay-out, there could be serious lasting effects from this huge cyber incident on M&S’s finances and digital transformation. It’s a chilling reminder of just how sophisticated , and destructive , cyberattacks on large retailers can be.
