How Did a Cyberattack Shake Marks & Spencer?

If you’ve been following the news, you will have heard about the major cyber disruption experienced by Marks & Spencer (M&S). Over the Easter weekend, this iconic UK retailer’s online services, including click-and-collect, payment systems, and online ordering, stopped working. The company confirmed it was a cyberattack, and cybersecurity experts believe it was ransomware delivered by a team associated with Scattered Spider, a group known for cyberattacks on retailers.

M&S is far from being a start-up or a strange company. This is a retail giant with almost 1,000 stores and billions of sales, with about a third of its clothing and home sales coming from online orders. Therefore, the downstream impact of being hit by a cyberattack is significant in terms of both operational and financial impact.

What Really Happened?

The attackers, using social engineering techniques, fooled individuals into granting them access. Rather than going after M&S directly, they compromised a third-party vendor and then moved laterally into the computer systems of M&S. 

The group has been identified as Scattered Spider, which is known for being an organized hacking group that carries out ransomware attacks. Ransomware attacks involve the hacker locking a company down until a ransom is paid, and while M&S won’t confirm whether they paid a ransom, we would consider it likely that they did. 

Here are some of the things that have recently taken a hit: 

• The online ordering system for clothes, home goods, and food
• The click-and-collect system, as well as the contactless payment processes to customers 
• The availability of products due to disturbance in systems nationwide

£400 Million Hit to Profits and Counting

It is estimated that this attack could cost M&S around £400 million in profits this year. That’s about 30% of annual profits wiped out in almost no time! It is bigger than a number on a page. 

That loss is measured in disrupted supply chains, annoyed customers, lost sales, and manual workarounds costing the company. The online store only shut down for just under 1 month, but it could be the end of July until the company returns to full working order. Share prices have dropped, suppliers had to shift to manual ordering processes, and consumers faced delays or stock shortages.

Their CEO, Stuart Machin, called it “a highly sophisticated and targeted incident.” Just a year ago, the company participated in cyberattack exercises; however, the hackers still got through.

Why Should Your Organization Care About This Hit?

If a company as mature as M&S can experience this extent of disruption, it should wake everyone up. Here are some key reminders this incident raises:

Ransomware Attacks Are Not Just Technology, But People, Too.

Hackers manipulated the situation using social engineering. This shows that no matter how effective your firewalls or your antivirus are, if a staff member or partner makes a mistake, intruders will get in. Phishing, impersonation, or lenient third-party governance are still highly hazardous.

Third-Party Risk Is Real and Expensive

The breach was a result of a third-party situation. If your vendors, suppliers, or contractors have lax security, they represent your weakest link. This attack should remind all of us to regularly audit and manage third-party risks purposefully.

Have a Business Continuity Plan

M&S was able to take the website offline quickly to protect both customers and systems, which was a difficult but necessary decision. Their previous mock testing of how to respond to a cyberattack allowed them to react quickly. A well-trained and tested plan can be the difference between chaos and order.

The Financial Fallout Is Not Just Ransom

Even if a ransom is not paid (M&S has not disclosed), the costs of the attack continue to mount: lost revenue, forced logistics, reputational damage, increased insurance premiums, possible fines for the data breach, etc. Cyber insurance may assist, but it is unlikely to cover all the damages to M&S.

Recovery Takes Time and Perseverance

M&S has stated that after three weeks they can expect to restart their full online operations in three months. So for your organization, incident response is not just the breach but managing the business impacts over weeks, if not months.

What Can You Do Now?

First, start an employee awareness and social engineering program and assess the level of preparedness of your team and vendors. Are your employees and vendors able to recognize phishing or social engineering attempts? How often does your organization test and train your employees?

Start a phishing simulation and run realistic simulations of current hacker tactics. Along with this, conduct vendor security assessments focused on access controls and incident response plans.

Wrapping Up!

The Marks & Spencer cyberattack is a stark reminder. No organization is immune from advanced threats, and the financial costs of complacency are very high. Their experience also shows that a well-constructed level of preparedness and prompt and open response to threats can significantly weather the storm.

You need to think through the following questions to navigate the storms: 

• How prepared are we if a critical business period is hit by a high-impact attack? 
• What flaws could a clever social engineering trick reveal?
• Now is the time to review, rehearse, and reinforce.

As an easy way to create an overall strategy, you can utilize a four-step formula. Assess your employees, engage more awareness in your teams, protect your system, and empower them.