Financial impact of cyber attacks on UK retailers laid bare in new report

Store front of M&S, one of the victims of a wave of cyber attacks on UK retailers, pictured at the Westfield Stratford City Shopping Centre . — (Image credit: Getty Images)

Cyber attacks against M&S and Co-op earlier this year cost anywhere between £270 million to £440m, according to analysis by the Cyber Monitoring Centre.

In April, British retailers were targeted with a series of ransomware attacks, with M&S taking down online sales and later admitting customer data was stolen. Co-op shut down aspects of its own IT system to limit disruption when it was attacked in a similar way.

Alongside those two, Harrods and other retailers were impacted by cyber incidents, but the CMC didn't include them in its assessment due to a lack of information. The attacks are believed to be the work of "Scattered Spider" hackers.

The mooted figures include the financial impact on M&S and Co-op, as well as their partners and suppliers, taking in lost sales as well as incident response, IT restoration and legal costs.

"Although both of the targeted companies suffered business disruption, data loss, and costs for incident response and IT rebuild, business disruption drives the vast majority of the financial cost," the CMC said in a statement.

M&S managed to return to limited online sales late last month after several weeks of disruption. According to the CMS, the financial impact of the incident amounted to around £1.3 million in losses per day.

"This is less than the total loss in turnover as it takes into account reductions in orders, stock that can be resold later, and not having to pay other variable costs," CMC said.

“We have not included any ransom payments as there is no evidence at this point that a ransom was paid or not paid."

M&S said last month that it expected the incident to cost £300m this year, but that would be reduced through "management of costs, insurance and trading actions."

Narrow and deep impact

Despite the high cost of the incident, the CMC only rated it as a "category 2 systemic event," with the worst possible rating being category five.

The organization noted that while the implications were significant, the impact was largely limited to the targeted companies and their partners, making it a "narrow and deep" event.

For comparison, last year's CrowdStrike outage would be considered a "shallow and broad" event, as many businesses were hit, but the impact to each was smaller.

"We are yet to see a deep and broad category four or category five event impact the UK," the CMC noted in its analysis.

"Had there been further widespread disruption in the sector, the categorization could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale."

Additional disruptions

CMC noted that M&S' own brand labelling added complexity, as such goods couldn't be rerouted to other retailers to sell before expiration dates, especially for prepared food and meats which have tightened regulations around packaging.

Another challenge was remote and rural areas, CMC noted, with Co-op one of the only food retailers in some regions. In the Scottish Highlands, for example, residents reported widespread disruption to food supply chains in the wake of the incident.

"Service disruption in these regions illustrates the broader societal impact cyber events can trigger through concentrated retail supply chains," CMC said. "Co-op are said to have prioritized supplying these stores."

More generally, CMC highlighted the risks of disruption to modern retail models.

"The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows," the analysts said. "When systems fail, it is challenging to revert to manual processes."

The analysis recommended retail businesses stress-test their business continuity plans — including a fallback to manual ordering and inventory control as well as plans to maintain financial stability and be able to pay suppliers — and create a response plan for ransomware attacks.

To avoid such incidents, CMC said it was time to improve "cyber hygiene" across service providers and IT supply chain, in particular support desks — which are believed to be how the attackers accessed networks, using compromised credentials and "abuse of IT help desk processes."