The boss of Marks and Spencer told shoppers on Friday that the retailer was working “day and night” to fully restore its operations and “get things back to normal as quickly as possible” following a cyber attack that started a fortnight ago and has wiped more than £600mn off its value.
This is the second time in a matter of days that chief executive Stuart Machin has attempted to reassure customers. M&S first disclosed last Tuesday that its systems had been compromised and has been unable to accept online orders since last Friday. A police investigation has been launched.
The retailer was the first household name to be targeted by cyber criminals just days before the Co-op and luxury department store Harrods were also forced to shut down some IT systems and restrict internet access to fend off similar attacks.
The incidents have highlighted the vulnerability of the UK’s retail sector to digital threats and have prompted concerns that retailers could be the target of a co-ordinated attack.
Toby Lewis, head of threat analysis at Darktrace, said “we shouldn’t rule out that the three incidents are coincidence”. A supplier or technology that all three chains had in common might also have been breached, he said.
On Thursday night Richard Horne, chief executive of the National Cyber Security Centre, warned that “the disruption caused by the recent incidents . . . are naturally a cause for concern” and “should act as a wake-up call to all organisations”.
Late on Friday, Co-op said “it was continuing to experience malicious attempts by hackers to access our systems” and despite its preventive efforts, hackers were able to access and extract names and contact details for a significant number of shoppers.
The company said the hackers did not have customers’ “passwords, bank or credit card details, transactions or information relating to products or services”.
Harrods said all of its stores were open as normal and shoppers could continue to buy goods online.
Some cyber security experts believe that large retailers represent an attractive target for hackers, more so than other sectors.
“Cyber criminals are generally opportunistic,” said Rafe Pilling, threat intelligence director at Secureworks. “They pursue targets that they can gain easier access to. Retailers generally don’t prioritise cyber security in the same way the regulated industries do, and there are more opportunities to target companies in retail and hospitality, manufacturing, and healthcare.”
Research by law firm Irwin Mitchell in 2024 revealed that UK retailers were showing signs of cyber security apathy, with FTSE 100 retailers referencing “cyber security” less frequently in their annual reports compared with other sectors, despite growing risks.
According to the UK’s Information Commissioner’s Office, the sectors reporting the highest number of cyber security breaches in 2023 were finance, with 22 per cent of reported incidents; retail at 18 per cent; and education with 11 per cent.
Helen Dickinson, chief executive of the British Retail Consortium, which represents the sector, said “cyber attacks are a real risk for all businesses and are becoming increasingly sophisticated” and “retailers spend hundreds of millions every year to mitigate these risks and ensure they can continue to serve customers”
Retailers also had large customer databases rich with payment information, said Jamie Smith, global managing director of cyber security at S-RM, a consultancy that offers digital forensic services.
Smith added that: “The real-time nature of retail operations means that any disruption can be catastrophic, and also very visible,” creating “greater leverage for an attacker wanting to extort them”.
Michael Yates, partner and head of cyber security at law firm Harbottle & Lewis, said hacking “a well-known retail brand generates leverage . . . because the victim will want to avoid brand and reputational damage at all costs to stop eroding customer trust”, adding: “M&S is one of the most trusted brands in the country.”
Even if retailers did not pay ransoms, he added, their mountain of data meant hackers could still profit from selling it on.
While M&S, the Co-op and Harrods are the latest retailers to suffer IT disruption, Christmas sales at supermarket chain Wm Morrisons were badly hurt by a cyber attack on technology provider Blue Yonder last year. Currys and JD Sports have also suffered attacks that breached customer data.
M&S warned in its most recent annual report that the shift to hybrid working since the Covid-19 pandemic had made it more susceptible to cyber attacks, as well as the greater use of digital technology and cloud systems.
Retailers’ operations are also fragmented, spanning stores, and online and mobile networks. They also work with numerous suppliers, which all increase the risk of an attack, said S-RM’s Smith. Many retailers still rely on legacy systems, he added, which cannot be taken offline without disrupting tills.
The all-encompassing nature of technology in businesses means that “through a ransom attack, everything can very simply grind to a halt,” said Darktrace’s Lewis.
George Glass, a cyber threat expert at Kroll, said the three incidents could be the work of Scattered Spider, a hacking group that has conducted similar actions in the past, and has been linked to M&S.
Scattered Spider, typically works with ransomware groups such as DragonForce or RansomHub, which can help orchestrate the data leaks if ransom negotiations prove fruitless for cyber criminals.
Scattered Spider’s profile was somewhat unusual, said Secureworks’s Pilling. The group is amorphous, with known members tending to be male, and as young as 14 or 15. But crucially they were also English speaking and tended to be based in the west, he added. “That’s an unusual thing for cyber crime groups — many of them are outside of western jurisdictions, and that’s how they get away with things long term.”
While the group’s motivations are ultimately to make money from a hack, “there’s just a big kudos within the [hacking] community element, so they do it for bragging rights almost”, Pilling added.
Unlike groups that rely on sophisticated techniques, Scattered Spider “are very good at getting on the phone to people, talking them into revealing credentials or resetting password; they understand business processes well and so they’re very good at manipulating people”, he added.
Darktrace’s Lewis believed it would take M&S “months” to fully restore the impact of the attack, as it had to strike a balance between swiftly turning the systems back to serve customers, and risking moving too quickly if the malware was still present in its systems. He added that when there had been an attack “you often only see the symptoms”.
Additional reporting by Kieran Smith in London