Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Marks and Spencer expects a £300mn hit to operating profits this year from a cyber attack that it blamed on “human error”, as the FTSE 100 retailer warned that disruption to its online operations would last until July.
M&S said alongside its annual results on Wednesday that it expected to mitigate the profit impact from the attack, which has severely disrupted its operations and led to the theft of customer data, through “management of costs, insurance and other trading actions”.
The cyber attack has forced the retailer to shut down its online clothing business for more than three weeks, left it unable to stock its food stores adequately and wiped almost £750mn off its market capitalisation. M&S disclosed for the first time last week that some personal customer data had been stolen.
Chief executive Stuart Machin declined to say whether M&S had paid a ransom to the hackers and said the attack was a consequence of “human error”, rather than weakness in its IT systems or cyber defences.
“Threat actors only have to be lucky once, and we didn’t leave the door open, so this wasn’t anything to do with under-investment,” he added.
Machin confirmed that cyber criminals accessed its systems through so-called social engineering tactics via a third-party supplier, whereby criminals trick IT staff into changing passwords and resetting authentication processes in order to gain access. Machin declined to name the supplier that was compromised.
M&S said it was working around the clock to contain the “highly sophisticated and targeted cyber attack” and stabilise operations.
Machin said the incident had been challenging, “but it is a moment in time” and “a bump in the road”, and there would be no change to the company’s transformation plans.
M&S said that online sales and trading profit for clothing and home goods had been hit in the first quarter of its new financial year by its decision to pause online shopping. It expects disruption to continue throughout June and into July.
The retailer added that food sales had also been affected by reduced availability, although the situation was improving. The hack has incurred additional waste and logistics costs, and has wiped almost £750mn off M&S’s market capitalisation.
The retailer said it hoped to halve the expected profit hit partly through insurance. The Financial Times reported earlier this month that M&S could claim for losses of as much as £100mn.
Last week, some analysts raised concerns that the disruption could derail the group’s turnaround efforts.
“At the end of the day, the person running the company is me as chief executive. I’m accountable for making sure we transform this organisation. That’s what we’ve been doing for three years,” said Machin.
He said that as a result of the cyber attack, M&S would overhaul some of its technology systems in six months, rather than over the course of two years as originally planned.
The cyber attack overshadowed strong results for the year to March 29. The company posted a 22 per cent increase in profit before tax and adjusting items to £875.5mn — its preferred metric — beating analyst expectations. Sales rose 6.1 per cent to almost £14bn.
However, its reported pre-tax profits fell almost 24 per cent to £511.8mn, in part because of a £248.5mn non-cash impairment on its 50 per cent stake in Ocado Retail.