Marks & Spencer, one of Britain’s largest retailers, said on Wednesday that disruption from a “highly sophisticated” cyberattack that crippled operations over the last month was expected to linger until July and would cost the company about 300 million pounds ($400 million) in lost profits this year.
The breach, which emerged over the Easter weekend, has been costing the company millions of pounds a day after it had to pause online orders, staff had to resort to manual processes and food waste piled up.
Some processes like food deliveries to stores are running smoothly again, but the company is still not taking online orders for clothing and home goods and customers cannot get access to its loyalty program. Online orders and related back-end operations will not fully return until July, the company said.
“This has been a challenging time,” Stuart Machin, the retailer’s chief executive, said in a call with analysts on Wednesday.
“We’re now focused on recovery and customers should be able to shop in our stores as normal,” he said, adding that it would take several more weeks to restart online orders.
Cyberattacks and other digital security breaches are relatively prevalent in Britain, disrupting stores, charities and hospitals. But even when they are contained or interrupted, the damage can last a long time as organizations slowly get processes back online and staff members are diverted from other priorities.
When hackers attacked M&S, the 140-year-old retailer was in the midst of a transformation intended to speed up sales growth and maintain its relevance on Britain’s primary business thoroughfares, known as the high street.
Reduced availability of food has hurt sales, and additional waste and logistics costs will cut into the company’s profit this quarter, the retailer said on Wednesday. Sales and profit for clothing, home and beauty items have been “heavily impacted.”.
But the final cost of the attack could be reduced by about half after insurance and other efforts to cut costs. The company also said that it would use this moment to ramp up an upgrade to its technology within six months, rather than the two years it had planned.
Last week, M&S said that some customer data had been stolen in the attack. Thieves may have gained access to personal information, potentially including contact details and birth dates, but there was no evidence that the data had been shared more broadly. Card and other payment details, as well account passwords, were not compromised, the company said last week.
One of the hacker groups being investigated for the M&S attack is known as Scattered Spider. The group traces back to at least 2022 and is believed to include native English speakers as young as teenagers. The group is known for social engineering campaigns in which they trick people into providing passwords or other credentials to break into a company’s computer network. Once inside a target’s system, debilitating malware is installed, which the group says can be removed for ransom.
M&S said that the origin of the breach was a human error and that the hackers gained access to company’s system through social engineering tricks via a third-party supplier.
Scattered Spider has also been linked to other prominent incidents, including the 2023 cyberattacks against the Las Vegas casino operators MGM Resorts and Caesars Entertainment.
In Britain, one in five businesses have been victims of at least one cybercrime in the past year, according to a recent government survey.
Other cyberattacks in Britain have targeted Harrods, the high-end department store in London that experienced brief disruptions last month and restricted internet access at its stores and offices after a an unauthorized individual tried to get into its systems. Co-op, another retailer, reported that a cyberattack last month caused limited damage to some of its services.
The details of the financial cost of the cyberattack on M&S overshadowed a strong earnings report. The company said that profit before tax and adjusting items rose 22 percent, to £875.5 million, its highest in 15 years. Its revenue rose 6 percent, to nearly £14 billion.
Adam Satariano and Jenny Gross contributed reporting.
Eshe Nelson is a Times reporter based in London, covering economics and business news.
The post British Retailer M&S Says Cyberattack Will Cost It $400 Million appeared first on New York Times.
