On Easter Monday, a cyber incident occurred at British retailer Marks & Spencer. A week later, the dust has yet to settle. Contactless payments were rendered unusable as online orders were temporarily suspended in the UK and Ireland. What went wrong during this hack? What went right? And, perhaps more importantly, what can we learn from it?
Thanks to a major cyber incident, M&S customers often returned from their shopping trips empty-handed. Contactless payments were still not working 72 hours after the attack was reported on Monday. The use of Click & Collect as well as the redemption of gift cards were made impossible. To make matters worse, M&S was forced to suspend online orders in the UK and Ireland, where the store generates a third of its UK sales.
In short, this is a costly incident that no doubt damages Marks & Spencer’s reputation, at least in the short term. Malicious parties are also taking advantage of the attack through phishing operations targeting unsuspecting M&S customers. Suddenly, the website appears to be accessible again, but nothing could be further from the truth. People who received emails offering them a discount for being a “good customer” of the British retailer were later found to have been robbed of tens or hundreds of pounds or euros.
Quick, but with a big impact
An attack during Easter is no surprise. Cyber attackers love to strike during holidays or weekends, when organizations and security teams are typically less staffed. It is also possible that recently reported vulnerabilities have not yet been patched, giving attackers more opportunities than usual to infiltrate an IT system with a relatively simple scan.
It is unclear when exactly the attack began. It is also unknown whether ransomware was used and whether employee and/or customer data was stolen. On Monday, April 21, M&S announced that a cyber incident had occurred. A day later, CEO Stuart Machin issued a personal statement in which he spoke of “small changes” to normal store operations. Some customers reported that staff were going to great lengths to compensate for the system outage.
However, these were anything but minor changes to M&S’s processes. First of all, staff working from home were unable to log in, orders could not be checked out in the stores themselves, and invoices were not visible on the website. A week after the incident was first reported, there has still not been a full recovery.
Marks & Spencer may have been relatively quick to inform consumers. The British cybersecurity services NCSC, ICO, and NCA were also notified. Finally, an independent forensic team was consulted to determine how the cyberattack could have occurred. These standard steps indicate a mature approach after such an incident. The scale is also limited to the United Kingdom and Ireland.
A graceful crash
When an IT incident occurs, it quickly has physical consequences. This varies, of course, for a store with both online and physical points of sale. It is easier for customers to understand that a website becomes unavailable due to a malfunction or cyberattack. Still, physical stores will sometimes have to deal with customers who are not so understanding. The fact that it is then impossible to sell a product (or, after payment, to pick it up) is logically more challenging to accept. It is clear that the recovery options, regardless of what exactly happened, could have been better suited to a disruption such as this. After all, in theory, a store should be able to continue operating without digital resources: you just write orders by hand. This has its costs, but it saves the source of income from drying up. In short: processes must “crash gracefully” and not simply collapse.
However, there is little to criticize about M&S in other respects. The communication is somewhat pompous and the impact is somewhat minimized, but the reason for the greater impact has little to do with Marks & Spencer itself. As a legitimate brand, phishers who opportunistically strike can only be combated by alerting customers to this danger. Other parties are already doing this, such as McAfee EMEA head Vonny Gamot.
Net, the incident cost M&S around 5 percent of its market value. The lost revenue due to the system failure will undoubtedly be determined fairly clearly internally. More importantly, it understands the attack and can mitigate its effects in the future. For other parties, the M&S hack is a valuable lesson. Specifically, in an online world, brick-and-mortar businesses must also be able to rely on the physical alternative.
Read also: Veeam and CrowdStrike join forces for better data protection