Weeks after suffering one of the most disruptive cyberattacks in UK history, UK retailer Marks & Spencer (M&S) said it will respond by accelerating a planned two-year overhaul of its digital operations to bring it to completion in only six months.
Given that the company expects the aftereffects of the attack, including cessation of online shopping, to continue until July, compressing new IT and digital infrastructure spending into a matter of months might strike investors as ambitious. However, it allows M&S to put a positive spin on the revelation in the company’s latest financial update that the attack, which hit the company on April 19, will knock £300 million ($400 million) off its profits for the next year.
“We are seeking to make the most of the opportunity to accelerate the pace of improvement of our technology transformation and have found new and innovative ways of working,” said M&S CEO Stuart Machin, without going into detail about what the transformation would entail.
“We are focused on recovery, restoring our systems, operations, and customer proposition over the rest of the first half, with the aim of exiting this period a much stronger business,” he added.
Despite the staggering impact on profits, by some distance the largest sum ever publicly admitted to by a UK company as a result of a cyberattack, shareholders will take some comfort that Machin believes the final cost of the incident “will be reduced through management of costs, insurance, and other trading actions.” He said that these costs will be “presented separately as an adjusting item.”
This, of course, currently doesn’t factor in any costs arising from any legal action around the customer data breach it admitted to having suffered during the attack.
Complete shutdown
Within days of the attack on Easter weekend, the company shut down its entire internal and online footprint, barring the store point-of-sale terminals.
That included its online, app, and click-and-collect ordering system, applications used internally by staff, and supply chain and logistics systems. The latter led, in some stores, to a few bare shelves.
The attack was classic ‘big game’ ransomware, which some speculated is connected to the “Scattered Spider” group, which uses the DragonForce ransomware-as-a-service (RaaS) platform. None of this has been confirmed, and it is unknown whether a ransom was paid.
The update did reveal one important detail: the attackers had compromised M&S after a social engineering attack on the employees of an unnamed third-party supplier. This was characterized by Machin as “human error,” which might offer a clue to where future investment will be directed.
On the basis of a single source, Reuters has suggested that the supplier is Tata Consulting Services (TCS), which also is used by another UK retailer, the Co-operative Group. Possibly not coincidentally, the Co-op was hit by a similar, if less severe, ransomware attack in the same week. Again, this has not been confirmed.
In early May, Britain’s National Cyber Security Centre (NCSC) warned retailers that attackers were finding new ways to get inside targets, including through Teams and helpdesk calls.
Accelerating or spinning?
M&S appears to have decided not to waste a crisis, and to complete its transformation strategy faster than planned. CEO Machin offered no detail on these plans, but over recent years M&S has announced a stream of initiatives, including expanded use of cloud systems and, predictably, AI.
From an efficiency point of view, this strategy makes sense. You’re already in the midst of disruption, so adding to that results in less upheaval in the long run.
However, what CEOs usually mean by digital transformation is an expansion of technologies designed to engage customers. The downside of this is that this risks increasing an organization’s attack surface, and vulnerability to future disruption.
So does this strategy – some would say spin – add up? Given the number of cyberattacks over the last 20 years, there should be a reliable corporate playbook for such incidents.
Human factor
M&S’s incident response will comprise two elements: recovering and hardening systems to avoid a repeat attack, and, almost as stressful for the managers and lawyers involved, figuring out where business liability lies.
The first of these — extra investment in IT — is what most companies do anyway behind the scenes after an attack, agreed Jordan Avnaim, CISO for security vendor Entrust.
“While digital expansion can widen the attack surface, it also presents an opportunity to modernize legacy systems, implement zero trust, and treat cybersecurity as a board-level business priority,” said Avnaim.
The difference in the case of M&S is mainly the scale on which this would be happening.
“Organizations that use crises to drive long-term resilience will be far better equipped for the evolving threat landscape,” he said.
However, simply throwing money at more and better security equipment isn’t enough on its own. Social engineering attacks, apparently the root cause of the M&S attack, showed that basic human processes and behavior were also important.
Defending against this takes a thorough breakdown of these processes, which in most organizations go unexamined.
“The M&S breach is a case study in the seamless blend of social engineering, privilege abuse, and off-the-shelf tooling,” said Nicholas DiCola, VP of customers for Zero Networks.
“It reinforces what many in the industry already know: perimeter defenses alone are no longer enough. Today’s attackers exploit trust as much as they exploit code. That means resilience isn’t just about prevention, it’s about containment, recovery, and communication.”
Read More from This Article: M&S says it will respond to April cyberattack by accelerating digital transformation plans
Source: News