Marks and Spencer (M&S) leadership anticipates that it will take approximately another month to fully recover from a ransomware attack, which is estimated to cost the company at least £300m.
CEO Stuart Machin disclosed that the attack may have originated through the systems of a third-party IT services provider, where tech support staff had their credentials stolen via social engineering.
The acknowledgment that social engineering was used to initiate the attack supports the speculation that the Scattered Spider hacking group is responsible. This group has employed similar tactics against other targets in the past.
Reports suggest that the initial target of the cyber attack could have been Tata Consulting Services (TCS), the provider of M&S’s IT helpdesk. Machin declined to confirm this information when questioned by reporters, and TCS has not provided any comment on the matter.
Machin did not disclose whether M&S has paid the attackers, citing advice from incident responders. However, he mentioned that the company has made significant investments in cyber tools over the past two years, which may have aided in detecting and responding to the attack promptly. He also assured that M&S did not leave any vulnerabilities open to the hackers.
“Over the Easter bank holiday, it became evident that we were dealing with a highly sophisticated and targeted attack,” Machin stated in a pre-recorded video accompanying the retailer’s latest results. “We engaged several cyber experts, formed a strong support team with technology partners, and promptly notified the authorities.”
“As a result, we were able to regain control of the situation swiftly and implement the necessary measures to safeguard the business, our customers, our suppliers, and ensure our stores remained operational and secure. This involved proactively shutting down some systems, causing temporary disruption – a decision we believe was necessary.”
Minimum viable company
Jason Gerrard, senior director of systems engineering at Commvault, a cyber resilience company, emphasized that M&S’s experience serves as a valuable reminder that fast recovery capabilities must be ingrained in cyber resilience strategies.
“Behind the scenes, teams are working diligently to rebuild systems, trace the source of the breach, and restore customer data with precision, all while navigating regulatory, insurance, audit, and shareholder demands,” Gerrard explained.
“The longer it takes to return to normalcy, the further ‘normal’ drifts away, both in operations and public perception. While the average recovery time is 24 days, some organizations take over 200 days to achieve business-as-usual.
“This extended downtime should serve as a cautionary tale for others to prioritize preparation for such scenarios. Having a well-tested recovery plan in place and identifying the Minimum Viable Company (MVC) in advance can mitigate some of the potential damage that could escalate quickly,” Gerrard advised. “Understanding your MVC – the critical systems necessary for operational continuity – is vital for achieving cyber resilience and sustaining business operations, even in the face of a cyber attack.
“The MVC model is not only about responding to threats – it cultivates organizations that are adaptable, resilient, and forward-thinking.”
Recovery mode
Meanwhile, M&S has transitioned into full recovery mode and is working towards restoring normal operations. Machin assured customers that they can shop in stores as usual, with the food business maintaining regular stock deliveries and improved availability.
“However, online orders for fashion, home, and beauty products remain suspended, but we aim to resume online operations in the coming weeks. The process is complex, so it will take some time to reinstate our online systems,” Machin stated.
Looking ahead, Machin announced that M&S plans to leverage the cyber attack as an opportunity to accelerate a previously outlined digital transformation plan, condensing a two-year timeline into just six months.
“Despite the challenges we have faced, our business remains strong, with solid performance, a robust foundation, and stable finances. This resilience has enabled us to recover swiftly and regain momentum,” Machin affirmed.
“We will put this incident behind us and return to business as usual,” he concluded.
In addition to expressing gratitude to M&S employees, suppliers, and customers for their support, Machin extended appreciation to fellow business leaders.
“Numerous CEOs have reached out to me in recent weeks, sharing their own experiences with similar incidents,” Machin revealed.
“They cautioned me that this would be one of the most challenging situations I would face as a CEO, warned about the risk of burnout in the initial stages, and advised that the recovery process would be lengthier than anticipated, potentially serving as a short-term distraction,” Machin recounted.
“We are only four and a half weeks into this ordeal, but it feels like four and a half months, to be honest,” he added.
