Marks & Spencer has disclosed that cyber criminals gained access to its systems by tricking employees at a third-party contractor, launching a sophisticated attack that has disrupted the British retailer for over a month and is expected to continue causing problems until July.
Speaking for the first time since the breach was revealed on 22 April, chief executive officer Stuart Machin said the hackers were “unable to get into our systems by breaking through our digital defences” and instead resorted to social engineering tactics through a third party rather than exploiting system weaknesses.
“Once access was gained, they used highly sophisticated techniques as part of the attack,” Machin told reporters. He declined to comment on any ransom demand, citing advice from government agencies and law enforcement.
The attack has proven costly for the retailer, which generates nearly £14 billion in annual sales. Bank of America analysts estimate Marks & Spencer has lost more than £40 million in sales every week since the incident began over the Easter bank holiday weekend. Online orders were suspended on 25 April and are unlikely to be fully restored until July, the company said on Wednesday.
Marks & Spencer became aware of the breach when it spotted suspicious activity during the Easter weekend of 19-20 April. Machin said the time between hackers gaining access and detection was “short”, noting that experts told the company the average detection time was 10 days, with some cases taking many months.
The retailer has an IT contract with Tata Consulting Services, and one source familiar with the matter told Reuters this was a means of access, though TCS has declined to comment. When asked specifically about TCS being the weak link, Machin declined to comment.
Following the attack, Marks & Spencer took the precautionary step of shutting down many of its IT operations, effectively locking itself out of core systems. Some stores experienced empty food shelves after the firm had to take food-related systems offline. The biggest ongoing challenge is restoring its online system, which accounts for around a third of clothing and homeware sales.
On 13 May, the retailer confirmed that some personal customer data was stolen, potentially including names, dates of birth, phone numbers, home addresses, email addresses, household information, and online order histories. However, the company said any card information taken would not be useable as it does not hold full card payment details on its systems.
Machin said the company had scanned 600 systems for damage and was gradually bringing them back online. He noted that Marks & Spencer had trebled its technology spending over the past three years to boost defences, emphasising that “all companies were vulnerable” to such attacks.
Britain’s National Crime Agency told the BBC the investigation was focused on a cluster of young, English-speaking hackers. The same group is believed to have previously targeted Co-op, which shut down parts of its IT systems on 30 April in response to an attack that caused payment problems and widespread stock shortages.
