Marks & Spencer Cyber Attack Set To Cost £300 Million

Marks & Spencer are expecting a £300 million hit to their operating profits following a cyber attack that is expected to lead to disruption to online operations until July.

While investigations into the incident are still ongoing, it is believed that the cyber attack, which has been blamed on ‘human error’ occurred after attackers tricked third-party IT helpdesk staff into giving them access to company systems. This is known as a ‘social engineering’ attack, where human error is relied on to gain unauthorised access to accounts and systems. In this case, it is believed that two IT logins were used as part of the attack.

While the most significant impact to the business has been the damage it has caused to their online services, preventing shoppers from using the service for weeks, another aspect of the incident is the fact that the personal data of many online shoppers has been compromised, with the impacted data potentially including names, dates of birth, contact information, home addresses and online order history.

Even though it’s been confirmed that account passwords haven’t been compromised, Marks & Spencer have said that for peace of mind, customers can still reset their account passwords.

Much of this information comes from Marks & Spencer chief executive Stuart Machin, who also said that they expect the business to “recover at pace” and that the website is expected to re-open “within the next few weeks”.

While £300 million is a significant hit, Machin described this as a “one-off” that won’t have a significant impact on the business as a whole. He also confirmed that there are no plans to cut jobs to mitigate the impact of this loss.

What are the key takeaways from this?

While the investigation into the incident is still ongoing, using what we already know, we can take away a few key learnings:

Your security is only as strong as your weakest link: Marks & Spencer most likely had a high level of security overall, though attackers only need one point of weakness to take advantage of to carry out an attack. In this case, attackers targeted a third-party contractor based in India, where it was much easier for them to get the access they need. Stronger or more frequent due diligence practices on the third-party may have helped identify this weakness and allowed them to put the necessary measures in place to reduce the chances of an incident like this from happening. If you’re concerned that some of your suppliers could act as a point of weakness for your business, take a look at our Supplier Due Diligence page to see how PRIVACY HELPER can assist.

Security vulnerabilities can be very costly: An attack that started as a simple social engineering attack is expected to cost Marks & Spencer £300 million. For smaller businesses especially, an attack that results in a similar outcome to this one could be devastating. Marks & Spencer are fortunate that they don’t solely operate through their website, and they can still operate through physical stores. Though these have also been impacted, an online only retailer would be affected far more significantly.

Transparency is key: Marks & Spencer have done a good job in informing customers of the breach, with them detailing exactly what data has been compromised, confirming that the data hasn’t been published anywhere, and reassuring customers that login information and payment details are not compromised. Article 34 of UK GDPR states that a breach must be communicated to a data subject if it is ‘likely to result in a high risk to the rights and freedoms’ of the data subject. In this case, some of the data compromised absolutely meets this criteria, meaning Marks & Spencer did the right thing by informing the data subjects of the breach. For example, fact that email addresses are potentially included opens the data subject up to being targeted by phishing scams, and when combined with other personal data such as names and home addresses, could facilitate things like impersonation.

Next Steps

Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER, and let us remove the stress of managing data compliance in your business.

Dan Brooks-Tonkin

Dan Brooks-Tonkin is a Data Protection and Information Governance Apprentice at PRIVACY HELPER. PRIVACY HELPER is a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. Click here to learn about how PRIVACY HELPER can aid your business in an ever changing data protection landscape.