M&S cyber-attack disruption to last until July

Marks & Spencer has said its online services will continue to be disrupted until July following last month's cyber-attack on the retailer.

Customers have been unable to order online for almost a month, but can expect to see a gradual return to normal.

"We expect online disruption to continue throughout June and into July as we restart, then ramp up operations," said M&S.

It estimates that the cyber-attack will hit this year's profits by around £300m - more than analysts had expected and the equivalent to a third of its profit - a sum that would only partly be covered by any insurance pay-out.

"Over the last few weeks, we have been managing a highly sophisticated and targeted cyber-attack, which has led to a limited period of disruption," said M&S chief executive Stuart Machin.

The attack took place over the Easter weekend, initially affecting click-and-collect and contactless payments. A few days later M&S put a banner on its website apologising that online ordering was not available.

Police are focusing on a notorious group of English-speaking hackers, known as Scattered Spider, the BBC has learned.

The same group is believed to have been behind attacks on the Co-op and Harrods, but it was M&S that suffered the biggest impact.

"This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues and shareholders," Mr Machin said.

Mr Machin said his team had spotted "suspicious activity" during the key holiday weekend.

M&S had run a cyberattack simulation last year he said, so "was ready".

"We were able to respond quickly and take the right actions immediately," he said. "We knew who to call and how to put the business continuity plan into action."

The hackers used social engineering techniques, meaning they relied on human error or misjudgement, rather than a purely technological loophole.

They gained access to M&S's system via a "third party" - a company working alongside the retailer - rather than accessing systems directly.

Mr Machin said: "We took our online system down ourselves to protect the website and customers."

In a media call on Wednesday, he did not respond to a question on whether the company had paid a ransom as part of the process.

Lisa Forte, from cyber-security firm Red Goat, who advises companies following cyber-incidents, said she would not be surprised if any of the retailers involved in the recent wave of attacks had paid a ransom, since research from Barclays suggests 82% of businesses facing such an attack do.

"You wouldn't necessarily know," she said.

If no ransom is paid, hackers will follow through with their threat to sell or release the data to ensure future threats are taken seriously, she points out.

"If the data never gets dumped, there's a high chance a ransom was paid."

She said M&S appeared to have handled the matter well overall, prioritising customers and reacting relatively quickly.

Mr Machin said the website would return to operations gradually, with 85% of the range back "quite quickly".

M&S is now three years into a turnaround strategy, started when Mr Machin joined as chief executive in 2022.

It involves updating in-store ranges and the chain's property portfolio, with digital technology and back-office systems also set to be overhauled.

The strategy had put M&S in it "best financial health for nearly 30 years" Mr Machin said, delivering results for the financial year ending in March just before the hack disrupted services at the end of April.

M&S reported a 22% rise in profit before tax and other costs to £875m, while sales rose 6.1% to £13.9bn, with growing food sales taking the lead.

Mr Machin said the cyber-attack had highlighted "new and innovative ways of working".

"If anything, the incident allows us to accelerate the pace of change as we draw a line and move on," Mr Machin added.

But it will also weigh on M&S's profits for the current year, with food sales hit by reduced availability, the company said.

In fashion home and beauty, online sales were lost due to the pause in online ordering.

Meanwhile, additional waste and logistic costs, including needing to use manual processes, have affected profit.

Mr Machin admitted that the £300m hit to profits "does sound like a big number, but it is a one-off number".

Around half would be offset by reducing costs and from the company's cyber-insurance policy, he said.

While insurance is expected to cover perhaps a third of the bill, there could be further charges to consider including fines for the data loss, litigation, and future-proofing the business from new attacks.

Lucy Rumbold, equity research analyst at Quilter Cheviot, said it would be "a long slog" for M&S to get back to where it was.

"But given the strong performance of late and provided the attack can be wholly eliminated, the business should get there," she said.