British retail giant Marks & Spencer (M&S) revealed Wednesday that a "highly sophisticated and targeted" cyberattack will cause an estimated operating loss of around £300 million ($403 million). The incident, which occurred on April 22, continues to paralyze much of its online services, which are not expected to return to normal until July.
The attack knocked out the group's automated inventory management system, forcing M&S to resort to paper and pen to move billions of pounds worth of goods. This logistical disruption emptied food shelves in several stores and severely disrupted the online clothing, home, and beauty business. The main online ordering service remains suspended, heavily impacting the non-food division's results, although in-store sales remain stable.
Chief Executive Stuart Machin said the incident was due to human error exploited by hackers using social engineering techniques. However, he insisted that M&S had not left "the door open" and rejected any link to underinvestment in cybersecurity. The company is currently refusing to say whether a ransom was paid. Some customers had their personal data compromised, the group acknowledged last week.
Before this attack, M&S was posting very encouraging results, with pre-tax profit up 22,2% in the last financial year, its highest in fifteen years, and sales of £13,9 billion. The company hopes to limit the loss to £150 million through insurance and cost cutting. A technology transformation plan, initially planned to last two years, will be accelerated to six months.
Management intends to use this crisis to strengthen its systems and better protect its operations going forward. The CEO stated that 85% of its fashion and home products will be available online again in the coming weeks. At the same time, competitors, including Next, John Lewis, and Tesco, could take advantage of M&S's current difficulties to gain market share.
