Costs to M&S profits expected to be £300 million from Ransomware attack 

Marks & Spencer have announced that last month’s ransomware attack is expected to deliver a £300 million hit to the company’s profits. 

The company also announced that the ongoing disruption to online services is expected to continue until July, meaning that M&S’ online services will have been out of action for three months. 

The financial hit of £300 million represents a third of the company’s profits, with M&S having reported a pre-tax profit of £876 million in the year up to 30th March. 

This solid trading has meant that the company is “in the best financial health we’ve been in 30 years”, with £400 million of net funds in the bank. 

Yet, the company’s share price has taken a severe beating, with one billion being wiped off, in the time since incident was declared, according to Sky News. 

City analysts are expecting at least £100 million of the profit hit to be pulled back from various insurance and other mitigation measures.  

However, there is expected to be other fines for data loss, litigation and future proofing the business from attacks, according to BBC.  

Additionally, as Sky News reported, there is a potential scenario that M&S could be fined by the Information Commissioner’s Office (ICO) for a data breach. 

The personal information of thousands of M&S customers, including names, address, date of birth and order histories, were taken during the attack. 

“The maximum fine by the ICO is £17.5 million or 4% of global annual turnover, whichever is higher. Marks & Spencer has just reported £13.8bn revenue, so 4% of that figure is £552 million”, said Dan Coatsworth, investment analyst at AJ Bell, speaking to Sky News. 

He added that “we’re unlikely to find out in the near term if there will be a fine as there will be investigations galore into exactly what’s happened and into the retailer’s overall data protection capabilities”. 

The ransomware attack, which started on Easter Weekend, forced M&S to stop all orders to its website, affecting all products from fashion to homeware orders. It also impacted some deliveries to its food partner, Ocado too. 

The attack on M&S occurred during a flurry of attacks on many British retail stores, with the Cooperative Group and Harrods being targeted too.  

In the run-up to the attack, M&S had reported solid trading figures, with food sales up by 9% to £9bn in the year to 30th March. Fashion and homeware sales rose by 3.% to £4.2bn in the same period, an outlier in what was a tough autumn for retailers, the Guardian reports. 

With M&S, Co-op and Harrods all being hit by cyberattacks, there is a concern that the British retail sector is vulnerable to further attacks. 

“We are seeing an increase in notifications in this space [retail]. There are obviously other industries that threat actors are looking at, but this is drawing quite significant attention at the moment”, said Serena France-Hayhurst, UK Cyber Placement Leader at Marsh, speaking on Radio 4’s Today Show. 

“[The] Frequency of ransoms and threat actors asking for ransoms is going up, as is the severity of those ransoms”, she added. 

In addition, she added that the “penetration of buying cyber insurance [among small and medium-sized businesses] is quite low”, with “only 7% of their clients buying cyber insurance”. 

Cybersecurity experts are becoming more vocal about the need for organisations to take this cyber threat seriously, with one of these being Dr Richard Horne, chief executive, National Cyber Security Centre, part of GCHQ. 

In a letter to The Times, Dr Horne said that “there is a widening gap between the increasing cyber risks we face and our ability to defend ourselves against them”. 

“Every organisation must operate in a way that minimises the risks of an incident and know in advance how they would respond – and continue to operate – were an attack to get through. This is effective risk management, and any business leader who thinks they may be exempt from cyber risks should think again – and implement our advice immediately”.