Marks & Spencer has said it will take an estimated £300m hit to profits this year from a damaging cyber-attack that it expects to disrupt its online business into July.
Its chief executive, Stuart Machin, confirmed that “threat actors” had gained access to the retailer’s systems via one of M&S’s contractors using “social engineering” techniques, which can include posing as a staff member to fool a helpdesk.
“They used heavily sophisticated techniques,” he said, adding that the incursion was quickly spotted over the Easter weekend and the business was ready with a plan after a simulation exercise of an attack last year.
M&S revealed more details of the cyber-incident alongside its annual trading figures, which showed underlying profits rose by a better-than-expected 22% to £876m in the year to 30 March.
The company said it had more than £400m of net funds in the bank so that it had been “in the best financial health we’ve been in 30 years” before the hackers hit. It said it aimed to halve the financial impact of the attack to about £150m through insurance, cost reductions and other actions.
Machin said the hack was not down to a weakness in M&S’s IT systems and access had been gained via a third party. That contractor is understood to be Tata Consulting Services (TCS), which manages M&S’s helpdesk among other IT services. Two employee logins were used as part of the breach, according to a Reuters report, for which TCS declined to comment.
Machin said he expected the business to “recover at pace” from the disruption, with its website expected to reopen “within the next few weeks” and probably to begin selling in all product categories before July.
“If anything, the incident allows us to accelerate the pace of change as we draw a line and move on,” he said.
He dismissed fears of a hit to shoppers’ confidence in the business, saying the retailer had been “very transparent” about the problem and had passed on information swiftly.
Machin said M&S’s food was now selling well but that clothing and homeware sales in stores were “softer than we would like”, having been disrupted by the closure of the website.
He acknowledged that £300m – about two-thirds of which is down to lost clothing sales, according to analysts – “does sound like a big number” but he described the hit as a “one-off” that was “not significant” to the business as a whole.
Machin said there were no plans to offset the cost with job cuts or to reduce store refurbishments or openings, which include nine new food stores and two full-line outlets planned this year.
The business is bringing forward IT investment and will carry out two years of work on updating its systems in six months, partly aided by the forced shutdown of its website and online distribution centre, which made bringing in new technology simpler.
Analysts said they expected to cut profit forecasts for this year by at least 10%.
after newsletter promotion
The UK’s biggest clothing retailer, which also sells food and homeware, has been battling to recover for a month since its IT systems were hit over the Easter weekend. The attack forced M&S to stop orders via its website, through which it sells fashion, homeware and gifts, while deliveries of food and fashion into stores and some deliveries to its online food partner, Ocado, have also been disrupted.
M&S has admitted that some personal information relating to thousands of customers – including names, addresses, dates of birth and order histories – was taken in the cyber-attack.
Machin thanked customers and staff for their support. He said the business was now “focused on recovery, with the aim of exiting this period a much stronger business”.
“We started the new financial year as we finished the last, with sales growth ahead of budget across both businesses,” he said.
The figures showed that the cyber-incident interrupted a strong period of trading for M&S. Overall sales were up by 6% to £13.9bn over the year to 30 March. Food sales rose by almost 9% to £9bn, while fashion and homeware increased by 3.5% to £4.2bn.
The company did not give a figure for how much sales had fallen since the attack.
After including one-off costs such as a £248.5m write-down on the valuation of its Ocado Retail joint venture and £84m in costs of shutting and refurbishing stores, the company’s pre-tax profits fell by 24% to £511.8m.
The attack, which has been attributed to the hacking collective Scattered Spider, emerged days before similar cyber-attacks were reported against the Co-op and Harrods.
