Marks and Spencer (M&S) leadership believes that it may take at least another month to fully recover following a ransomware attack that it now looks likely will cost it at least £300m.
It has also emerged that the incident may have begun through the systems of a third-party supplier of IT services, where tech support staff had their credentials stolen via social engineering, according to CEO Stuart Machin.
The admission that the attack began via social engineering lends credence to the theory that the Scattered Spider hacking collective is indeed behind the attack. The gang has previously used similar techniques against other targets.
According to Reuters, the initial target of the cyber attack may have been Tata Consulting Services (TCS), which runs the M&S IT helpdesk. Pushed by reporters on this on results day, Machin declined to state if this was accurate, and Computer Weekly understands TCS has also made no comment.
Nor did Machin reveal whether or not M&S has paid off its attackers, stating advice from incident responders.
He did, however, say that M&S has heavily invested in cyber tooling in the past 24 months which may have helped it spot and respond to the attack quicker. He also said M&S had not “left the door open” to its hackers.
“Over the Easter bank holiday it became clear that we were facing a highly sophisticated and targeted attack,” said Machin in a prerecorded video accompanying the retailer’s latest results. “We called in several cyber experts and assembled the best support team including technology partners and notified the authorities immediately.
“As a result we were able to take control of the situation very quickly and take the right actions to protect the business, our customers, our suppliers, and keep our shops empty and trading. This meant proactively taking down some of our systems which resulted in short-term disruption – but we think that was the right thing to do.”
Minimum viable company
Jason Gerrard, senior director of systems engineering at cyber resilience company, Commvault, said M&S’ experience was a useful reminder to others that the ability to recover fast must be built into cyber resilience plans.
“Behind the scenes, teams are scrambling to rebuild systems, trace breach origins, and restore customer data with forensic precision – all while execs are juggling regulators, insurers, auditors and shareholders,” said Gerrard.
“The longer it takes to return to ‘normal’, the more that ‘normal’ drifts further away, both in business operations and public perception. While recovery takes 24 days on average, some organisations don’t achieve business-as-usual for over 200 days.
“This headline-grabbing downtime should be a warning to others that preparation for such a scenario is vital. Having a tried and tested recovery plan in place and identifying your Minimum Viable Company (MVC) ahead of time can help to reduce some of the damage that can very quickly spiral out of control,” said Gerrard. “Understanding your MVC – the essential systems needed to stay operational – is central to achieving cyber resilience and maintaining continuous business, even amidst a cyber attack.
“The true power of the MVC model is not simply about responding to threats – it builds future-ready organisations that can adapt, recover, and lead.”
Recovery mode
Meanwhile, M&S says it has now moved into full recovery mode and is trying to get back on its feet. Machin said: “Customers should be able to shop in our stores as normal. Our food business is delivering stock to stores in the normal way and all customers should find much better availability and should find what they need. Stock is flowing well.
“But of course, in fashion, home and beauty, online orders are still paused but our plan is to reopen online in the coming weeks. It is a complex operation so it is going to take us some time to bring up our online systems.”
Looking ahead, Machin said M&S would use the cyber attack as a net positive, bringing up a previously-announced digital transformation plan and condensing a two-year plan into just six months.
“This has been a challenging time,” said Machin. “[but] our business is in good shape with strong performance, strong foundations, and a solid financial footing. This has bolstered our resilience meaning we can recover at pace and regain momentum.
“We will draw a line under this and move on to business as usual,” he said.
Besides thanking M&S staff and suppliers for their hard work and support, and customers “who have given us so much help and encouragement”, Machin also gave thanks to his peers in the business world.
“So many chief executives have called me over the past few weeks who have all gone through similar events,” said Machin.
“They told me firstly this will be one of the most challenging situations you face as a CEO. Secondly they told me we need to watch out for burn-out … in the first few weeks. And thirdly they said to me it will take longer [to recover] than you would like and you would hope for, and it could be a distraction in the short-term.
“We’re only four and a half weeks into this incident. It feels like four and a half months if I’m honest,” he added.
