Three weeks after a massive cyberattack, Marks & Spencer’s online shop is still down, stock is still missing from shelves and it is losing £40 million in sales every week.
Teams have been working 24 hours a day to get the company back online. “There’s people who haven’t slept for three nights,” an insider said. “Getting back to where we really want to be is going to be weeks, not days, but we’ll have an online presence quite soon.”
The company has shed £1 billion of value on the stock exchange and the financial hit has already breached its £100 million insurance cap, it is understood.
Now The Times can reveal that the hackers, thought to be from the Scattered Spider group, penetrated the retailer’s IT systems through a contractor.
“What went wrong was human error. Human error is a polite word for somebody making a colossal mistake,” a source said.
The hackers were able to work undetected in the systems for around 52 hours before the alarm was raised, insiders said, before emergency response teams defended M&S over a five-day “attack phase”.
Since then the company has been investigating and rebuilding, known as discovery and recovery phases. It is understood M&S’s stock availability will be back to normal next week, but its website could take weeks to go back online.
Stuart Machin, the chief executive of M&S, said he was “really sorry” for the disruption to services
Scam hamper
This week, the company told its 9.4 million active customers their personal data had been stolen, leading experts to warn of a “great scam opportunity”.
Dozens have already reported a spike in scam messages, including one customer who was invited to swap private details for an M&S hamper.
Sara Fenwick, 53, a mother of three from Kingston upon Thames in southwest London, relies on the M&S website because she is disabled and unable to access their shops.
She followed a link to update her password, only to find she had been the victim of a phishing attack.
“It’s most definitely worrying, you’re always hearing about people getting hacked,” she said. “I am just lucky that I have a child working in IT who could help me, that’s why I was alerted to it. I’m hoping my data hasn’t been leaked everywhere.”
• How to protect yourself from high-street hackers
She said that M&S did not offer sufficient support. “It’s not good enough,” she said. “They’re not giving updates and it’s been going on for three weeks. Surely as a multi-billion pound company they’d be able to get people in and sort it out quicker.
“There’s most definitely been an increase in scam messages since the hack. Older people might be lured into these traps.”
M&S shoppers have been targeted by scammers
NEIL HALL/EPA
Cyber experts said the hack was “a great scam opportunity” either for opportunists or, in time, criminal groups using the stolen data.
One shopper, Elizabeth Walker, said she was targeted by a scammer pretending to be M&S asking her to click on a link to receive a “compensation hamper”, while Karen Skelton, 55, who lives with her husband, Paul, in Upton in Dorset, said she had been getting daily spam phone calls since the hack.
Another shopper, Becky Clark, said she had already received numerous spam emails claiming to be from M&S, adding: “They have increased exponentially since the attack.”
The trove of customer data, which includes names, emails, date of birth and addresses, has not appeared on leak sites, but some experts believe it is highly likely it will be shared.
Rafe Pilling, the director of intelligence at the security company Sophos, said: “If people phone you up and say they’re from M&S and have awareness of things only M&S should know, it’s possible they are leveraging data from this breach.”
Bosses ‘under attack’
The attack will dominate next week’s annual results announcement. Bosses had hoped to bask in the success of the last financial year, when they booked about £840 million in profit.
Stuart Machin, the M&S chief executive, and its chairman, Archie Norman, are expected to face questions about their own decisions, and the extent to which the company prepared for such an attack.
Archie Norman, a former Conservative MP, was appointed M&S chairman in 2017
MARKS & SPENCER
Danny Wallace, an M&S shareholder who is part of the Engagement Appeal, a venture that brings investors and companies together, said Machin and Norman had to come under fire.
“They will come under attack and I feel disappointed for them,” he said. “We should be attacking the hackers more than we should be attacking M&S, but somebody has to have the blame.
“If you’ve got people’s information, there’s a lot of responsibility that comes with that and they have let people down … Trust is absolutely imperative.”
• M&S staff share war stories of ‘toughest’ week after cyberattack
Investors are reeling after £1 billion was wiped from the M&S market value, and shares continued to suffer on Friday with a further fall.
Jonathan Pritchard, a retail analyst at Peel Hunt, said: “I don’t think anyone would lay the blame personally at Machin’s door but it’s on his watch.”
The Co-op, the supermarket rival attacked by the same hackers a week after M&S, has been an unhelpful comparator. It expects its stock to come back to store this weekend but, it is understood, pulled the plug on its system quickly after receiving advice from M&S.
A job for investigators
Now the Scattered Spider group, largely made up of British and American hackers, is in the crosshairs of the FBI and the National Crime Agency.
Cyber experts believed the group was responsible, based on the pattern of attack, and that it employed DragonForce software to help the hackers break in, attempt to lock out its owner and demand a ransom.
M&S will have been strongly advised not to pay up and it is understood it had no direct communications with the hacker.
• UK under assault as number of ‘significant’ cyberattacks doubles
Alan Woodward, professor of cyber security at the University of Surrey, said: “It must have got really deep into M&S’s systems for it to be this bad, it seems that M&S is having to rebuild everything.
“M&S are still offline for online sales … That suggests they were a little less prepared than maybe they should have been.”
Once the attack phase was defeated, M&S and law enforcement would have tried to gather digital forensic evidence to help capture the criminals, according to Matt Hull of the cybersecurity company NCC Group. He described the attack as “hugely damaging for them financially and reputationally”.
The National Crime Agency said: “We are working closely with our law enforcement partners to investigate. We are considering the incidents individually. However, we are mindful they may be linked and therefore this will remain under review.”
‘They will survive this’
Last year’s performance saw M&S, which has counted Rosie Huntington-Whiteley, Alexa Chung and Holly Willoughby as brand ambassadors in recent years, return to its glory days.
“They were shooting the lights out as they came into this financial year. That has hit a brick wall.” Clive Black, an analyst at Shore Capital, said.
The current leadership had overseen a tripling of the share price and believed it would recover from the recent dip.
Holly Willoughby was a brand ambassador for Diet Coke before M&S
That was despite law firms signing up disgruntled customers for court claims. Colin McMenamin, of O’Muirigh Solicitors in Belfast, said he had signed up a dozen people in 24 hours for a claim in Northern Ireland.
“There’s talk in articles of selling it on the dark web and that obviously is going to create a lot of distress with people,” he said, suggesting a successful claim could start at £1,000 per person. M&S could also be fined for breaching data laws by the Information Commissioner’s Office.
“Clearly it’s taking them a hell of a lot of time to get the business back online,” the retail expert Richard Hyman said. “It’s damaging, it’s embarrassing, but I think they will survive this. I’m sure they are busting a gut … Archie Norman will be going bonkers to try and get this sorted.”
