Stay informed with free updates
Simply sign up to the Technology myFT Digest — delivered directly to your inbox.
My first inkling of the damaging cyber attack on Marks and Spencer was when I entered a store at the Easter weekend and was told that contactless payments were not working. It threatened to ruin the trip until I realised I could scan food items on the M&S app on my phone and use Apple Pay instead.
It says something about our acute dependence on online commerce that the only way to circumvent a cyber attack was by hacking the store in another way. If only the rest of the technological answer were so simple for M&S: five weeks later, the food and clothing retail chain faces a £300mn hit to operating profits, and online clothes sales remain suspended.
M&S food stores are mostly well stocked again after gaps appeared on shelves, but the struggle to rebuild its operations continues behind the scenes, and could take until July to be completed. As another business victim of a ransomware attack said of the experience: “What we weren’t ready for was what is essentially vandalism.”
Welcome to the age of cyber insecurity. A Scottish law firm that has launched the inevitable class action suit against M&S for allowing some customer data to leak denounced its failure as “unacceptable”. But accept it we must, or at least face the reality that companies and organisations cannot guarantee they will block all hackers who are intent on causing havoc.
Richard Horne, chief executive of the government’s National Cyber Security Centre, last week called the onslaught “plainly intolerable”. But he also argued earlier this month that “the concept of control is completely false . . . it’s outside our power to always stop the unwanted thing from happening”. So then, businesses have to find ways of tolerating the intolerable.
That is an anxiety-provoking idea, given that the impact of a criminal cyber attack on both employees and customers can be extremely gruelling. Vital data is often encrypted and a ransom demanded for its release. “We’re only 4.5 weeks into this incident. Sometimes it feels like 4.5 months, if I’m honest,” Stuart Machin, M&S chief executive, remarked last week.
The M&S attack has been linked to Scattered Spider, a loose affiliation of hackers involved in ransomware raids, including on MGM Resorts in 2023. They often talk help-desk workers into changing passwords and authentication methods. The ability to speak fluent English is innovative in the Russian-dominated ransomware world, but it is hardly a huge barrier to entry.
This is the corporate equivalent of asymmetric warfare, with raiders probing the weak points of states. There tend to be plenty of holes: many companies still use patched-together technology from past mergers. They are also reliant on outsiders: M&S says it was affected by “human error” at a third-party contractor and Tata Consultancy Services is investigating internally.
Companies cannot abandon cyber security as a hopeless effort, of course. Despite the mutual interest of hackers and the enterprises they invade in portraying these crimes as very sophisticated, many are not. They could have been avoided with some simple steps, such as keeping software updated and deploying multi-factor authentication. Sometimes, there is no excuse.
But at least as much effort has to be devoted to resilience: ensuring that the damage is contained, and normal service can be restored after days or weeks, rather than months or sometimes never. Think of how many fire drills a company would hold if there were arsonists lingering openly outside. The same care should be applied to early detection and rapid response when a cyber attack is under way.
The most chilling and effective tactic of many attackers is to lock up files on which operations run, like the thieves who change passwords and identities on stolen phones. An enterprise is much less vulnerable to being blackmailed if its core data has been backed up and stored separately. Even if customer information is stolen, the business does not stop working.
It is also important to avoid over-dependence on a single point of potential technological failure. M&S online clothing sales have stopped, but home deliveries of online food orders are run by Ocado and have been largely unaffected. Cyber resilience was not the original reason for that arrangement but partitioning operations has its benefits.
Everyone but criminal hackers would benefit if companies could always block them, but that is a forlorn hope. More than half of UK businesses suffered at least one cyber attack in the five years to 2024, according to one study. The only option is to build defences, practise the drill, and expect trouble.