Marks & Spencer faced a potential catastrophe from a severe cyber attack, as disclosed by its chairman. Archie Norman emphasized that if the incident had occurred during the company’s previous struggles, the outcome would have been disastrous. Despite the attack forcing M&S to halt its crucial online operations, resulting in significant financial losses, the company managed to slowly resume online orders after a six-week hiatus.
The cyber breach, involving ransomware, occurred in late April and compromised customer data, potentially including personal information like names, email addresses, and dates of birth. The perpetrators, known as Scattered Spider, are suspected to have ties to a ransomware group named Dragon Force, comprising former gamers turned hackers with connections to Asia.
During a hearing with MPs, Mr. Norman refrained from confirming whether a ransom was paid, citing an ongoing investigation involving regulatory authorities and law enforcement agencies, including the FBI. He characterized the attack as an attempt to disrupt M&S’s business for ransom purposes, describing the experience as traumatic and unprecedented.
In response to the cyber incident, M&S had to resort to manual operations not used in decades to sustain business operations. This event served as a stark reminder of the reliance on technology, prompting the company to advise others to have contingency plans in place to operate without technology if necessary.
While M&S reported a rise in annual profits before the attack, it anticipates a significant impact on future profits, with potential losses estimated at around £300 million. The company aims to recoup a substantial portion of these losses through insurance claims.
Additionally, the Commons Business Committee heard from the Co-op, which also fell victim to a similar cyber attack by the same group. The Co-op swiftly responded to the attack, although disruptions in deliveries to stores led to empty shelves. The Co-op’s representative highlighted the escalating sophistication of cyber threats, emphasizing the growing risk faced by businesses.
In conclusion, the Committee chair expressed concern over the vulnerability of major retail institutions like Marks & Spencer and the Co-op to cyber attacks, signaling a broader risk to all businesses. The increasing threat of cyber attacks underscores the need for heightened security measures and preparedness in the face of evolving cyber threats.