M&S and Co-op shared learnings from cyber attacks that hit their businesses in April with MPs yesterday. Here are some key points from their appearances before the Business and Trade Sub-Committee on Economic Security.
M&S: an ‘out of body experience”
M&S chairman Archie Norman says April’s cyber attack on the UK retailer was “like an out-of-body experience” for staff across the business. Tech staff in its cyber team had “probably no sleep or three hours a night,” he told MPs on the Business and Trade Sub-Committee on Economic Security yesterday.
One big learning from the event, he said, was that “once you have experienced an attack that has had any success at all, you are then in a multi-week process of systems rebuilding. Whatever you do, you are going to have to rebuild and it is going to take a long time to come back. That was our experience.”
M&S estimates that the cyber attack of April 19 has hit its profits by £300mn, but Norman said this may be recoverable through insurance and other cost savings. Asked about who had carried out the attack, he said that both the attacker and the retailer had worked through intermediaries. He did not confirm whether M&S had paid a ransom, but said that “in almost 100% of cases” there was a ransomware demand.
Norman said: “The question all businesses have to ask when they look at the demand is: what are you getting for it, once your systems are compromised and you are going to have to rebuild anyway? Maybe they have exfiltrated data that you do not want them to publish, maybe there is something there, but in our case, the damage had substantially been done.”
Fully rebuilding will take months, he said, and capital spending will be brought forwards. He said the M&S automated distribution centre in Castle Donington would come back online “imminently” with some back office systems taking till October or November to bring back online. He said that the retailer had been rebuilding its systems and its business over several years and that if the attack had happened a few years earlier the retailer would have “been kippered”. Now, however, it was able to keep investing and to “stride on”. He advised others to have an “absolutely rigorous map” of their systems.
M&S will now hold a third-party led review, and the retailer says it will share the learnings. Norman said that the retailer had a “very wide attack surface” since there were 50,000 people working on its systems – from staff in store to contractors. “The attack surface is enormous and the attacker, potentially, has only to be lucky once, with one of those 50,000,” he said. “The right thing to do if you are in our business is to assume that the perimeter is permeable.” Retailers, he said, need to be ready to revert to manual ways of running the business.
Co-op: ‘no organisation entirely invulnerable’
The Co-op, said Dominic Kendal-Ward, group secretary and general counsel at the company, had suffered a “sophisticated cyber-attack” on April 25 that used a variety of methods to hack into its systems and data. “Within hours,” he said, “we had detected those and set up our continuity processes. In doing so, we managed to prevent the deployment of ransomware and any serious damage to either our systems or our members.” He said the retailer had not paid a ransom and never contemplated doing so. It also never engaged with the attackers.
The reality check, he said was that “no organisation, regardless of how prepared you might be, is entirely invulnerable to these sorts of attacks, and they are going to get more sophisticated”. Even though more serious disruption was avoided, there was still a “significant impact” on parts of its operations, with member names, addresses and dates of birth copied by attackers. “It is important that we say to our members that we are very sorry for that, and we feel their concerns deeply.”
The retailer’s online business, stores and payments continued to operate normally after the attack and pre-contracted forensic teams were brought in to analyse events. Suspicious IP addresses were blocked while systems were rebuilt around it. Business continuity systems came into play.
Rob Elsey, group chief digital information officer at Co-op, said: “We had wargamed this precise scenario as a leadership team before, so the board itself was very well prepared for who would take what role. That definitely paid dividends through the crisis.”
He added: “There are always learnings from a real experience versus those simulated ones, but the simulated ones are incredibly helpful.”
The break-in to the system came through social engineering, said Elsey, with a hacker successfully answering security questions to reset an account before starting to use that account maliciously.
Elsey said it was important to be able to revert to paper-based systems. He said: “You need to be prepared on the specifics and understand where the key things are to keep your business running, but equally, you do not ever know quite what the impact will be when these sorts of things hit in the way they do. How you make sure that you can make those decisions and take any actions that you can quickly is probably the most critical part.”
Stay informed
Our editor carefully curates two newsletters a week filled with up-to-date news, analysis and research. Click here to subscribe to the FREE newsletter sent straight to your inbox. Why not follow us on LinkedIn to receive the latest updates on our research and analysis?
