Ransomware: Marks & Spencer targeted by costly cyberattack

300 million pounds – the equivalent of 356 million euros. That's how much the major cyberattack that has paralyzed the British retailer Marks & Spencer is estimated to have cost it for over a month. The company made this estimate public on Wednesday, May 21, during its annual results presentation. Shortly after the attack was discovered, the clothing and food retail chain, which has 1,500 stores worldwide, including a handful in the Paris region, and posted a turnover of 13.8 billion pounds (16.3 billion euros) in its last financial year, suspended its online sales.

It was when it noticed that contactless payments were malfunctioning in several stores on April 21 and that online order pickups were disrupted that the company realized it was the target of a cyberattack. It could be a ransomware attack, which blocks access to the computer system and demands a ransom to unlock it. Its CEO, Stuart Machin, declined to say whether money had been paid to the hackers, but indicated that this attack was the result of a "human error" committed by a supplier he did not name, and not due to weaknesses in its computer network, reports the Financial Times.

Since the incident, online sales, which accounted for 34% of transactions in March, generating approximately €4.5 million per day, have been disrupted. The situation is still ongoing and could extend into July, according to the company. "We have decided to pause order taking through our websites and apps. […] Our stores are open to welcome customers," a message on the site states.

While stores have remained open, they have not been spared from the crisis. In addition to suspending contactless payments, they are experiencing stock shortages. In late April, a BBC report described "empty shelves," where, instead of food, labels could be found reading: "Please be patient while we resolve some technical issues affecting product availability." In its statement Wednesday, the British retailer confirmed that food sales "have been affected by reduced product availability, although the situation is improving."

Some customer personal data was also stolen in the cyberattack, but payment details or account passwords were not stolen, the company said.

Before this cyberattack, the British company seemed to be just recovering from a long downturn. Victim of a decline across the Channel, it had laid off 7,000 of its employees – or 9% of its workforce – before closing eleven stores in the Paris region in September 2021 , citing Brexit-related customs restrictions. In May 2024, it posted a 58% increase in its annual profit and announced on Wednesday a further increase of 22% to 875.5 million pounds sterling, or 1.03 billion euros, its highest level in more than fifteen years.

This hack has further undermined the financial health of the group, which has been subject to stock market sanctions since the cyberattack. The company stated in the same press release that it hopes to absorb the shock "through rigorous cost management, insurance, and other commercial actions," before adding: "We are now focused on recovery, aiming to restore our systems, operations, and customer offerings during the first half of the year."

The Marks & Spencer case is not an isolated one. Similar cyber incidents have been on the rise in the United Kingdom for several weeks. Co-op, a supermarket chain, and Harrods, a London luxury retailer, have also been targeted. In mid-May, Google's cybersecurity department announced that the hackers who targeted these brands are now targeting American retailers.