Unexpected cyber attack in the bagging area: UK’s retailers under threat from sweeping attacks

In just a matter of days, three large UK retailers, Marks & Spencer (M&S), The Co-op and Harrods, have been the unfortunate victims of cyber attacks. 

M&S have been hit the hardest so far, experiencing significant operational disruption which has contributed to their shares dropping by approximately £650-700 million. Subsequently, the Co-op shut down parts of its IT systems as a form of 'proactive measures', and Harrods swiftly followed suit by restricting internet access at their sites. It is not known whether the incidents are linked at this stage, but it does show a growing interest in retailers from cyber criminals. Like in other sectors, threat actors are attracted to businesses that process large quantities of customer’s personal data due to the opportunities it provides to leverage against them. The cyber security teams at these organisations will no doubt be working tirelessly to get the organisations back up and running and resume normal business operations under difficult circumstances.  

Over the Easter weekend, news broke that M&S were experiencing disrupted operations across its UK network, including online services, supply chains and in-store systems due to a cyber incident.

The timing of the attack was particularly catastrophic, with Easter being a very popular time of the year for not only grocery shoppers but also back-to-school items and general spring-cleaning goods.

Little information has been released about the incident so far, with M&S having not officially disclosed the nature of the cyber attack as of yet. Some news outlets are reporting that they are experiencing a suspected ransomware attack, a form of malware deployed by cyber criminals which encrypts systems and/or data in exchange for a payment, from a well-known threat actor group called ‘Scattered Spider’. The group have been linked to over 100 targeted attacks across the telecoms, finance, retail, and gaming sectors.

With regards to the Co-op incident, it claims that the incident had a 'small impact' on its call centre and back office, however, it took proactive measures to shut down part of its IT systems to prevent hackers accessing them. Similarly, the impact of the Harrods incident has been limited so far. Despite this, the full extent of a cyber incident is often unknown in the early stages, and there is always a possibility that the hackers have infiltrated other areas of the business until a full forensic investigation is complete.

While at the time of writing – the impact on The Co-op and Harrods has been limited so far, M&S felt the full force of the attack, with multiple services being disrupted, including:

• Online sales: M&S’s online platform, which accounts for over a third of its clothing and homeware sales, was taken offline. According to last year’s accounts, M&S generated £1.27 billion from online sales.
• Supply chain disruptions: Deliveries of selected packaged food items to Ocado (part-owned by M&S) were paused. Some stores were also left with empty shelves following the attack.
• In-store payment issues: Customers experienced difficulties with contactless payments and gift card usage in physical stores, meaning some transactions couldn’t be completed.
• Customer sentiment: Cyber attacks often focus on compromising a businesses customer data. Reputation and sentiment can rapidly change if customers feel they’ve not been properly protected and quickly look to competitors.

M&S were the unfortunate unsuspecting ‘first victims’ in this case. Often, it takes one organisation to get hit badly for others in the sector to take note; The Co-op and Harrods reacted quickly and proactively to shut down the potential threat, which is positive to see.

Unfortunately, incidents like this aren’t unusual. Vulnerabilities will always exist, and cyber criminals will always look to exploit them. Retailers, like businesses from many other sectors, will be struggling to keep on top of a myriad of cyber security issues and are often fighting to maintain security across a range of interconnected systems, which can often be legacy and highly customised. Nevertheless, if an incident does occur, how we manage and respond to it is entirely in our control.

No matter how secure retailers feel they are, the best organisations still comprehensively prepare for the potential impact of a cyber attack. Like The Co-op and Harrods have done, shutting down any potential vulnerable services (where possible) is a positive step. Your incident response team, including those in governance roles, must always be on standby and well-rehearsed. Preparing incident response procedures ahead of time is crucial while navigating attacks. A good incident response plan ensures that roles and responsibilities are clearly defined, and there are backup contacts in the event that individuals are unavailable. An understanding of what systems you can restore (and when) is also vital for resuming operations. From a communications perspective, having templates for internal and external stakeholders is beneficial to ensure a consistent and universal approach to incident handling. The latter being particularly important, as customer loyalty that has taken a lifetime to build can be lost quickly.

Times like these can be worrying for management but also crucially for those working in IT. If you would like some further advice or support, the Forensic Services team is always available for a conversation to ensure your organisation is suitably managing your cyber risks and prepared to respond effectively in the event of an incident.