British retailer Marks & Spencer (M&S) has said that the “sophisticated and targeted cyberattack” it has just experienced will cost the company around $400 million (£300 million).
The ‘severe and coordinated attack’ was first noticed happening on or just before the Easter weekend at the end of April and is still causing ‘fuss and inconvenience’ with its online services and in-store delivery availability, the retailer said in a statement.
The retailer acknowledged that the cyber incident caused it to suspend online shopping of its food, home and beauty products for a period. This essential weapon in the fight against the attack has also caused severe disruption to online sales, including gross profit on sales.
And whereas fashion, home and beauty physical stores have stayed open, disruption has now shifted to food sales with limited operational capacity needing to improvise with manual operations, and surge in waste and logistic costs. Non-writing based payments were also disrupted in the immediate wake of the attack.
Stuart Machin, Chief Executive of M&S, said: “We are not taking any chances and our full attention is on continuing to manage this incident and on recovery and restoring our systems.”
He expects the disruptions online to continue through June and into July as businesses slowly reopen and begin to ramp up. This extended disruption will also result in higher inventory management expenses in Q2.
The company also announced that some of its customers’ personal data was exposed in the attack. That includes things like names, dates of birth, addresses where people live, phone numbers, email addresses and online order history.
But M&S said “usable payment or card details” and login passwords were not accessed. Customers will be asked to reset their password the next time they log in online as a preventive measure.
It offers little details about the attackers, but cybersecurity experts suspect it could be the work of the infamous cybercrime group ‘Scattered Spider’ which could have leveraged the ‘DragonForce’ ransomware. Had this same group associated with the previous attacks on other big UK retailers?
The $400 million loss is a large chunk of M&S’s operating profit for this financial year. The firm expects some of these losses to be curtailed via cost control, insurance claims and other trading activities. However, the retailer was positive about its medium-term growth outlook, and is pressing ahead with planned dividends hikes.
The cyberattack acts as a reminder of the growing risks retailers are facing, and the massive financial and operational disruptions they are exposed to. M&S is now engaging with cyber security specialists and the authorities to accelerate a full investigation and to take all necessary actions to protect its customers. Customers are cautioned to be on the lookout for possible phishing and other scam activities.
