How do you measure the effects of a major cyber-attack? Is it the severe financial losses, reputational damage, compromised customer data, operational downtime or the number of customers angered at the unavailability of Colin the Caterpillar cakes?
It has now been over 50 days since M&S was targeted in April, by hacker groups DragonForce and Scattered Spider, resulting in a £300M loss in trade and millions wiped off the company’s value, with many product ranges still unavailable despite the website reopening for online orders (leading to the Daily Mail describing M&S shoppers’ fury at continued absence of Colin the Caterpillar cakes).
While there have been reports of ransomware and data theft, M&S has not fully disclosed the exact methods of the attack or the extent to which sensitive customer data (such as payment information) was compromised. However, considering the nature of attacks sensitive data breaches are a strong possibility. The attack has prompted an ongoing investigation by both M&S’s internal cybersecurity teams and law enforcement agencies, but few details have emerged about the specific techniques used by the hackers.
In the wake of the attack, M&S has likely bolstered its cybersecurity defences. However, it remains to be seen whether they will conduct a full overhaul of their IT infrastructure or implement further measures to prevent future breaches.
This breach is part of a growing trend of cyber-attacks targeting retailers – Adidas, Victoria’s Secret, Harrods, The North Face, Dior, Cartier and The Co-op have all been affected recently – especially those with large online operations. Several factors—ranging from technological vulnerabilities to the increasing sophistication of cybercriminals—have contributed to this.
- Digital Transformation and Expanding Attack Surfaces
As retailers embrace digital strategies, including e-commerce platforms and mobile apps, they inadvertently broaden their attack surfaces. The more touchpoints a retailer offers online, the more potential entry points there are for hackers. Whether it’s a payment system, customer database, or inventory management, vulnerabilities in these digital tools make retailers attractive targets. - Sophistication of Cybercriminals
Cybercriminals are no longer the lone hackers of the past; many are now operating in highly organised groups with advanced tools. Ransomware-as-a-Service and phishing kits sold on the dark web have made it easier for less skilled individuals to launch high-impact attacks. This increase in cybercrime sophistication has raised the stakes for retailers. - Targeting Valuable Customer Data
Retailers collect vast amounts of customer data, from credit card numbers to personal details. This valuable information makes them prime targets for identity theft, fraud, and black-market sales of stolen data. Retail breaches can result in millions of pounds in losses, not only from stolen funds but also from reputational damage. - Supply Chain Vulnerabilities
Retailers often depend on third-party vendors for essential services such as payment processing, logistics, and customer support. When these suppliers are compromised, it can trigger a domino effect, impacting multiple retailers simultaneously. In the case of M&S, for instance, the BBC reported that the attack was likely made possible through a third-party supplier (widely reported as Tata Consultancy Services*) having access to the retailer’s internal systems, highlighting the risks posed by interconnected vendor networks. *TCS has since reported that it was not the gateway to the attack. - Poor Cybersecurity Posture
Many retailers, particularly small and mid-sized ones, still lack the resources or awareness to implement strong cybersecurity measures. Outdated software, unpatched vulnerabilities, and weak network defences create opportunities for hackers. In many cases, retailers may not even realise they have been compromised until significant damage is done. - Peak Shopping Seasons and Increased E-commerce Traffic
Retailers face heightened risk during busy shopping seasons like Black Friday and Cyber Monday, when e-commerce traffic spikes. Overloaded networks and stretched security teams create windows of opportunity for cybercriminals to launch successful attacks. - Lack of Employee Awareness
A lack of cybersecurity training among employees makes them vulnerable to phishing attacks. Cybercriminals often exploit human error to gain access to a retailer’s network, making it crucial for businesses to invest in comprehensive employee education.
In conclusion, the growing complexity of digital infrastructure, combined with poor cybersecurity practices and increasingly sophisticated criminals, has led to the surge in retail cyber-attacks.
Retailers must adapt to this new threat landscape by prioritising security and awareness to mitigate potential risks. In particular, retailers must begin to understand their exposure to third party vendors/partners and the impact this can have on the business.
M&S expects to be back to pre-attack normality by the end of July, which means the good people of Britain can once again enjoy ‘chocolate-covered, swirly cake goodness’ with a brew, whilst leaving the retail sector to reflect on it mounting vulnerability to cyber-crime.
Photo by Aleksandr Rebenkov on unsplash
______________________________________________________________________________________________________________
Here to help
If you’d like to discuss any aspect of cybersecurity with one of our experts, please don’t hesitate to get in touch.
Comments are closed.