Marks & Spencer faced a potential catastrophe from a severe cyber attack, as revealed by its chairman. Archie Norman expressed that if the breach had occurred during the company’s previous struggles, the consequences would have been dire. In this instance, M&S had to halt its crucial online operations, resulting in an estimated loss of £10 million in profits each week.
The ransomware incident took place in late April, compromising customer data such as names, email addresses, and dates of birth. After a six-week hiatus, the retail giant resumed online orders for clothing and homeware gradually.
The culprits behind the attack, known as Scattered Spider, remain shrouded in mystery, with speculations linking them to a group associated with the creation of ransomware. Mr. Norman refrained from disclosing whether a ransom was paid, citing an ongoing investigation that involved UK regulators, law enforcement, and the FBI.
Describing the event as “traumatic,” Mr. Norman highlighted the necessity for manual operations, not utilized for three decades, to sustain business continuity. M&S’s general counsel emphasized the importance of being prepared to operate offline, underscoring the vulnerability of businesses to technological disruptions.
Despite reporting a 20% increase in annual profits before the attack was disclosed, M&S anticipates a £300 million dent in future earnings due to the incident, with hopes of recuperating a significant portion through insurance claims.
Additionally, the Commons Business Committee heard from the Co-op, another target of the same cyber group. The Co-op swiftly detected and mitigated the attack, although disruptions in deliveries led to stock shortages in their stores. Dominic Kendal-Ward from the Co-op Group cautioned against escalating cyber threats, foreseeing more sophisticated attacks in the future.
The Committee Chair, Liam Byrne, emphasized the severity of the situation, characterizing the breaches at M&S and the Co-op as alarms for the industry. The increasing threat of cyber attacks, as evidenced by these incidents, poses a pervasive risk that many fear may be uninsurable.
