The cyber attack on Marks & Spencer, reported to have been carried out by a gang of teenage hackers, has sent a ripple of fear through the high street and spread dismay among investors.
After all, it’s not been just any old hack, it is a hack on M&S – and thus more significant and unsettling, especially now that the Metropolitan Police are involved in the case.
There is anger among customers on social media and shares have fallen by 5 per cent within the past few days, in response to the news that online and app orders have been paused and warehouse staff sent home. This has coincided with a period of record temperatures, exacerbating any damage to sales.
Susannah Streeter of investment platform Hargreaves Lansdown comments: ‘Demand for fashion is likely to take a big hit. During this spell of warm weather, summer ranges would ordinarily be piling up in virtual baskets.’
Executives in cooperation with the National Cyber Security Centre (NCSC) are working around the clock to sort the crisis. While the company is making no comment on the nature of the investigation, progress has been made: contactless payments in stores have been restored.
But click-and-collect, a means of delivery that boosts visits to the 1,492 stores, remains unavailable, and such has been the publicity surrounding the hack, that speculation is emerging about a possible change of strategy at the retailer.
M&S, a £7.76bn FTSE 100 company, sells about £3.5million of clothing and homeware online every day. Currently these sales make up about one-third of the total, but the plan is that this will rise to more than a half, making M&S the pre-eminent multi-channel retailer of our era.
But the apprehension now surrounding this plan has been further heightened by the power outages in Spain and Portugal – which dramatically highlighted the extent of our reliance on technology.
The cyber attack on Marks & Spencer, reported to have been carried out by a gang of teenage hackers, has sent a ripple of fear through the high street and spread dismay among investors
Empty food shelves at Marks and Spencer in Cambridge as the retailer struggles to manage the fallout from the cyber attack
The images are raising suspicions that the attack might be more extensive than first thought
There is no evidence that these blackouts were the result of a hack. Nonetheless, they have reminded us how vulnerable nations and corporations have become to rapacious hackers eager to exploit gaps in the technology systems that make modern life work.
This disquiet may be temporary, or indeed misplaced.
But M&S chairman Archie Norman and chief executive Stuart Machin may now feel that they should execute a pivot in their approach. Machin, who was appointed to the top job in 2022, is famously ‘positively dissatisfied’ about progress, always striving for better, and Norman has a similar commitment to unremitting improvement. He has described the collaboration as a ‘high-wire act’.
In January the pair unveiled bumper Christmas trading: the nation could not get enough of M&S’s festive treats which included pigs in blankets double-wrapped in bacon, Turkey feast sandwiches and panettone.
But Norman still reiterated his commitment, saying: ‘We think keeping the spirit of the turnaround is essential because it takes a long time to irreversibly change a business.’
Norman, whose illustrious career includes a spell as an MP and as chairman of ITV, has only two years left at M&S to fulfil his ambition for the complete revitalisation of this 141-year old retailing stalwart. A nine-year term as chairman is the City’s unspoken rule.
The Norman-Machin turnaround of the chain, transforming it from fusty to funky, is seen as one of the UK corporate success stories of the decade – which may be why there is, as yet, no talk that either could be toppled from their roles.
The City may be alarmed by the hack, but they will also be appreciative of the bounce in the shares. Despite this week’s setback, shares are still up 290 per cent over the past five years, thanks to the advances in food and in fashion.
M&S chief executive Stuart Machin, who was appointed to the top job in 2022, is famously ‘positively dissatisfied’ about progress, always striving for better
This week, the Kantar consultancy reported that spending on groceries at M&S grew by 14.4 per cent in the 12 weeks to April, confirming that the store is now the place for the weekly shop as well as gourmet dishes, celebration cakes like the Colin the Caterpillar and confectionery, such as Percy Pigs.
This campaign to ensure that M&S is an affordable proposition for families looking to eat well has been accompanied by a transformation of the clothing division.
M&S is now a fashion leader, showcasing collections designed by the actress and style icon Sienna Miller. Shoppers can opt for M&S own brand and the Autograph, Jaeger and Per Una lines. They can also buy labels such as Nobody’s Child, Whistles and even Calvin Klein on the app and website.
But online expansion makes a retailer a tasty proposition to the hoodie-wearing adolescent tech nerds who carry out ransomware extortion in return for cryptocurrency payouts.
The rumours are that Scattered Spider, a ransomware group based in the US and the UK, is behind the M&S hack.
These English-speaking criminals do not only look for weaknesses within target companies’ systems, they also try to hoodwink and manipulate IT help desks to facilitate their access by sending phishing emails.
In February the Scattered Spider gang stole a piece of software from the M&S systems that seems to have given them the authentication necessary to gain entry to some or all of the network.
In April they returned, deploying, or so it is said, DragonForce, a type of malicious software that encrypts systems, freezing them so that they cannot be used – and so that the maximum chaos will be created in orders, payments and much else.
DragonForce disables anti-virus software, regularly communicating back to the hackers to provide information it has garnered.
The hackers then demand money for the ‘keys’ that will unlock the decryption and restore operations. Julius Cerniauskas, chief executive of web intelligence experts Oxylabs, comments: ‘Their goal is simple: the greater the disruption, the greater the pressure on the company to pay the ransom.’
It is not clear to what extent the hackers have infiltrated systems at M&S and whether they have been able to steal customers’ data, including card details and passwords. But pictures of empty shelves at the flagship Marble Arch store are raising suspicions that the attack might be more extensive than first thought.
Billions are spent on securing IT systems against such criminal forays. But as George Weston, boss of Associated British Foods, the Primark group, conceded this week: ‘It’s a threat to us all.’
Susan Streeter, of investment platform Hargreaves Lansdown, emphasises the importance of the establishment of more resilient frameworks so that worried customers can be won back
Now pressure to reassess the speed of the switch to online at M&S may mount ahead of the results for the year to March which will be announced on May 21.
Last year, M&S made profits before tax of £716.4million. A rise to £830million is projected for the 2024-2025 year. But the loss of sales from the hack will affect this year’s profits.
M&S’s customers may be apprehensive about venturing back on to the M&S website and app, but Nathaniel Jones of the cyberspace company Darktrace says that M&S will come back online with ‘sustained crisis management support from both NCSC and the National Crime Agency’.
Investors may be equally wary over the impact of the potential loss of trust and credibility that may result from the hack.
However as Lucy Rumbold, an analyst at wealth management firm Quilter Cheviot, points out, the food and clothing stores remain open. But she raises the issue of how much M&S will have to spend to address the fall-out from the attacks at a time when competition is becoming more ferocious in the groceries market.
She comments: ‘In the short-term, M&S will need to focus on getting out of this cyber attack in a good state. It also needs to ensure that it has the trust of customers, so that it can build on the momentum created by Norman and Machin and fight off any other headwinds.’
Streeter also emphasises the importance of the establishment of more resilient frameworks so that worried customers can be won back, which she suspects may not happen overnight.
Many private investors who are also shareholders will be irritated at the lack of internet shopping and the fall in the share price. I am one of these investors, having acquired a holding in November 2022, when the price was 122p. It is now 388p.
Most of my wardrobe is bought at M&S: in my view, the retailer is now better at providing the latest looks for less than Zara. The quality is also superior.
I invested because people would not believe that some of my pieces came from M&S. This unfamiliarity with the product suggested to me that there was huge scope to win new customers. I still feel that Marks has further to go, and I am sticking with the shares.
Seven of the analysts rate the shares a ‘buy’ and a further nine consider them to be a ‘hold’ or ‘outperform’. The average target price is 428p.
This may sound ambitious, but the current share price is still 31per cent below their level of a decade ago – which should give Norman and Machin even more impetus to move beyond the hack, reassure investors and customers and show that a national institution will not be brought low by a teenage criminal gang.
