M&S chairman Archie Norman says a crippling cyber hack on the retail giant was like an “out of body experience” that it is still recovering from
Marks & Spencer could have been destroyed by a devastating cyber attack, its chairman has revealed.
Archie Norman said, had the hack happened a few years ago when it was struggling, “we would have been kippered”. As it was, M&S was forced to pull the plug on its all-important online arm, costing what Mr Norman said was around £10million a week in lost profits.
The ransomware attack happened at the end of April, with customer personal data – which could have included names, email addresses, postal addresses and dates of birth – taken. It took six weeks before the retail giant slowly began taking online clothing and homeware orders again.
Mystery still surrounds the gang behind the attack, called Scattered Spider, with reports they may be linked to a ransomware creator called Dragon Force, said to include former computer gamers turned hackers with links to Asia.
Mr Norman, giving evidence to MPs on the Commons Business and Trade Committee, declined say whether it had paid a ransom as the matter was still part of a live investigation. As well as regulators and law enforcement agencies in the UK, he said the FBI was also contacted given the scale of cyber attacks in the US.
He said: “It is very rare to have a criminal actor in another country or this country seeking to stop customers shopping at M&S, essentially trying to destroy your business for purposes that are not clear, but undoubtedly for ransom and extortion.” The industry veteran and former Tory MP likened what happened to “an out-of-body experience”, calling it “traumatic”.
He said company had to revert to manual working practices that it had not used for 30 years to “keep the show on the road.” Nick Follard, M&S’s general counsel, said the incident was a reminder of the reliance on technology.
And he told the Commons Business Committee: “I would say to other people, make sure you can run your business on pen and paper, because that is what you need to be able to do for a period of time whilst your systems are down.”
M&S said in June that its annual profit results – prepared before the attack emerged – were up around a fifth to £875.5million. It estimates the incident could wipe around £300million off future profits but it hopes to claw back a big chunk of that from insurers.
The committee also heard from the rival the Co-op, which was also targeted by what is believed to be the same group. The food-to-funerals firm has already revealed that its IT systems spotted signs of an attack in minutes, with swift action taken limit the impact. Despite that, deliveries to Co-op stores were hampered, leading to gaps on shelves.
Dominic Kendal-Ward, group secretary and general counsel at the Co-op Group, warned firms were under increasing threat from cyber attacks. He said: “They are going to get more sophisticated.”
Liam Byrne, chair of the Committee, said: “This was not just a costly disruption. It was a cyberattack that broke through the digital defences of two of Britain’s most cherished retail institutions – Marks and Spencer and the Co-op – in quick succession.
“That should ring alarm bells. Because if attackers can reach these giants, they can reach anyone. The risk is no longer remote but pervasive and, some fear, uninsurable.”
