Marks and Spencer (M&S) leaders expect it will take at least another month to fully bounce back from a ransomware attack that could cost them at least £300 million.
It appears the attack started through a third-party IT supplier, where hackers stole credentials via social engineering, as explained by CEO Stuart Machin. This raises suspicions that the Scattered Spider hacking group is behind the incident, known for using similar tactics in past attacks.
Reports suggest the attack initially targeted Tata Consulting Services (TCS), which manages M&S’s IT helpdesk. When questioned on this during results day, Machin didn’t confirm or deny but noted TCS has also stayed silent. He didn’t reveal whether M&S has paid any ransom, citing advice from cybersecurity experts.
Machin did mention that M&S had significantly invested in cybersecurity tools over the last two years. This likely helped them spot and respond to the attack more swiftly. “Over the Easter bank holiday, we realized we were facing a sophisticated attack,” he shared in a video during the retailer’s results announcement. “We brought in top cyber experts and notified the authorities immediately.”
He added that taking certain systems offline caused short-term disruptions but was a necessary step to protect the business, customers, and suppliers.
Jason Gerrard, a senior director at Commvault, noted M&S’s experience serves as a crucial reminder. Companies need to build fast recovery into their cyber resilience plans. “Recovery can take an average of 24 days, but some may require over 200 days to return to normal,” Gerrard explained. He emphasized the importance of having a solid recovery plan and understanding the “Minimum Viable Company” (MVC) concept to minimize potential damage in such crises.
As for M&S, they have entered full recovery mode. Machin assured that customers can shop normally now, with food deliveries back on track. However, online fashion, home, and beauty orders are still paused. They plan to restart online services in the coming weeks, acknowledging the complexity of the operation.
Looking ahead, Machin stated they would turn this challenge into a positive by accelerating their digital transformation plans, compressing a two-year agenda into just six months. He expressed gratitude to staff, suppliers, and customers for their support during this difficult time.
Machin mentioned that other CEOs have reached out, sharing their experiences. He noted the challenges CEOs face in such situations and the risk of burnout in the initial weeks. “We’re only four-and-a-half weeks into this incident. It feels like four-and-a-half months, to be honest,” he added.