LONDON: Some of Britain’s biggest retailers have been hit hard by cyberattacks, with Marks & Spencer (M&S) losing £700 million in value in just a week and still unable to process online orders.
M&S entered a second week unable to take online orders on Friday following a major cyberattack last week as food retailer the Co-op Group said hackers had stolen customer data.
Some £700 million ($930 million) has been wiped off the stock market value of M&S since the hack was revealed last week. News that the Co-op and London department store Harrods have also suffered incidents in recent days was described as a “wake-up call” by the government’s National Cyber Security Centre (NCSC).
British companies, public bodies, and institutions have been hit by a wave of cyberattacks in recent years, costing them tens of millions of pounds and often months of disruption.
The 141-year-old M&S, one of the best-known names in British business, stopped taking clothing and home orders through its website and app on April 25 following problems with contactless pay and click-and-collect services over the Easter bank holiday weekend.
The Co-op first revealed a cyberattack on Wednesday but said on Friday that information relating to a significant number of its current and past members — including personal data such as names, contact details, and dates of birth — had been taken.
Ciaran Martin, the former CEO of the NCSC, told Reuters that so far there were no signs the attacks on M&S, the Co-op and Harrods were linked, with the latter two possibly discovered due to heightened vigilance after the M&S incident.
“If this can happen to M&S, it can happen to anybody,” he said, noting that after such a serious attack, a lengthy recovery period was not unusual.
On Friday, M&S CEO Stuart Machin again apologised to shoppers, without stating when online ordering would resume.
“We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible,” he said in an email sent to M&S customers.
With M&S, which operates around 1,000 stores across Britain, generating roughly one-third of its clothing and home sales online, analysts have said a short-term profit hit is inevitable.
M&S has declined to quantify the financial impact, which grows daily as it misses out on sales of new season ranges while the UK basks in record May temperatures.
Commuters were locked out of their accounts for almost three months last year following a cyberattack on London transport operator TfL, while another attack on a London blood test processing company last year disrupted services for over three months.
The availability of some food products has also been affected in certain M&S stores, while broader disruption may be hitting the business, which has pulled job postings from its website.
Shares in M&S closed down 1%, extending losses since Easter to about 9%.
‘Increasingly sophisticated’ attacks
Helen Dickinson, CEO of the trade body British Retail Consortium, said cyberattacks were becoming “increasingly sophisticated”, forcing retailers to spend hundreds of millions of pounds each year on defences.
“All retailers are continually reviewing their systems to ensure they are as secure as possible,” she said.
Technology specialist site BleepingComputer, citing multiple sources, said a ransomware attack that encrypted M&S’s servers was believed to have been carried out by a hacking collective known as “Scattered Spider”.
The NCSC is working with the affected retailers, while the Metropolitan Police’s Cyber Crime Unit and the National Crime Agency (NCA) are investigating the M&S attack.
“These incidents should act as a wake-up call to all organisations,” said NCSC head Richard Horne.
Labour MP Matt Western, Chair of Parliament’s Joint Committee on the National Security Strategy, said the government should do more to prevent major cyberattacks.
“As the Government concludes its consultation on proposals to counter ransomware, I hope its response treats these threats with the seriousness they clearly deserve.”