Marks & Spencer Group Plc is facing a £300 million ($403 million) hit to operating profit this fiscal year from a cyberattack last month it blamed on human error that is still disrupting sales and operations.
The British retailer will try to mitigate the impact with cost savings and insurance payouts, it said Wednesday. Online clothing and home orders, which account for more than £3 million of sales a day, will resume “in a matter of weeks,” M&S said, with the disruption expected to continue into July.
It is a major setback for a business that was delivering on Chief Executive Officer Stuart Machin’s turnaround plan. M&S reported the highest pretax profit in 15 years for the year that ended before the cyberattack, as shoppers bought more groceries and as the brand shook off its reputation for dowdy clothing designs.
Read more: M&S’ Slow Recovery From Cyberattack Puts it at Risk of Lasting Damage
M&S’s shares rose 2.6% in London, reversing an earlier decline and paring a 10% drop since the attack was announced on April 22.
The company called the attack a “bump in the road,” but the hit to operating profit — which is roughly equivalent to a third of last year’s performance — is worse than analysts expected. Still, quantifying the cost suggests “management is confident a solution is in sight,” analysts at Deutsche Bank said in a note.
M&S is only just starting to flesh out details of the attack, which forced it to halt contactless payments and created gaps on shelves as it took some IT systems offline. Last week it said some personal customer data was stolen.
Hackers entered M&S’s systems via “human error” at a third party, Machin told reporters on a call. He declined to comment on media reports that the business partner was Tata Consultancy Services, saying only that M&S is “grateful to all third parties we work with.”
“We have to be vigilant and lucky every day — threat actors only have to be lucky once,” he said. “We didn’t leave the door open, this wasn’t anything to do with under-investment.”
A cybercrime gang known as “DragonForce” has taken credit for the M&S hack, as well as other attempts to infiltrate grocer Co-op Group and luxury department store Harrods Ltd. The group told Bloomberg it carried out the attacks with partners to extort money from victims and plans to hit the UK’s retail sector again, saying the recent breaches were “just a start.”
Cybercrime is an increasingly prevalent problem in the UK and worldwide. On Monday, the UK’s Ministry of Justice said hackers stole a “significant amount of personal data” from people who received legal aid across England and Wales.
The Home Office estimates cybercrime costs the UK economy billions of pounds in losses annually. Last year a cohort of Russian-speaking hackers demanded a $50 million ransom from a UK lab-services provider to end a ransomware attack that paralyzed London hospitals for weeks.
The attack on Marks & Spencer caused havoc. Food sales have suffered due to reduced availability, although this is improving, while the switch to manual processes has incurred additional waste and logistics costs.
Britain’s M&S Stops Taking Online Orders After Cyber Attack
It has overshadowed an improvement in the company’s earnings. M&S reported £876 million in profit before tax and adjusting items for the year ending in March, beating analyst estimates. The retailer said it’s confident in prospects for medium-term growth, and is increasing its dividend by 20%.
Statutory profit before tax fell almost 24%, though, partly due to an impairment charge of £249 million relating to the value of the company’s investment in Ocado Retail, its joint venture with Ocado Group Plc for online groceries.
Photo credit: Jason Alden/Bloomberg
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
‘Don’t Get in My Way,’ the New Acting Head of FEMA Warns Staff 
2024 P/C Insurance Combined Ratio Best in More Than a Decade 
Sedgwick Experts Outline Key Workers’ Comp Claims Trends 
Despite Backlash From Trump, DEI Hasn’t Disappeared at US Companies 
