Cyber attacks against M&S and Co-op earlier this year cost anywhere between £270 million to £440m, according to analysis by the Cyber Monitoring Centre.
In April, British retailers were targeted with a series of ransomware attacks, with M&S taking down online sales and later admitting customer data was stolen. Co-op shut down aspects of its own IT system to limit disruption when it was attacked in a similar way.
Alongside those two, Harrods and other retailers were impacted by cyber incidents, but the CMC didn't include them in its assessment due to a lack of information. The attacks are believed to be the work of "Scattered Spider" hackers.
The mooted figures include the financial impact on M&S and Co-op, as well as their partners and suppliers, taking in lost sales as well as incident response, IT restoration and legal costs.
"Although both of the targeted companies suffered business disruption, data loss, and costs for incident response and IT rebuild, business disruption drives the vast majority of the financial cost," the CMC said in a statement.
M&S managed to return to limited online sales late last month after several weeks of disruption. According to the CMS, the financial impact of the incident amounted to around £1.3 million in losses per day.
"This is less than the total loss in turnover as it takes into account reductions in orders, stock that can be resold later, and not having to pay other variable costs," CMC said.
“We have not included any ransom payments as there is no evidence at this point that a ransom was paid or not paid."
M&S said last month that it expected the incident to cost £300m this year, but that would be reduced through "management of costs, insurance and trading actions."
Narrow and deep impact
Despite the high cost of the incident, the CMC only rated it as a "category 2 systemic event," with the worst possible rating being category five.
The organization noted that while the implications were significant, the impact was largely limited to the targeted companies and their partners, making it a "narrow and deep" event.
For comparison, last year's CrowdStrike outage would be considered a "shallow and broad" event, as many businesses were hit, but the impact to each was smaller.
"We are yet to see a deep and broad category four or category five event impact the UK," the CMC noted in its analysis.
"Had there been further widespread disruption in the sector, the categorization could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale."
Additional disruptions
CMC noted that M&S' own brand labelling added complexity, as such goods couldn't be rerouted to other retailers to sell before expiration dates, especially for prepared food and meats which have tightened regulations around packaging.
Another challenge was remote and rural areas, CMC noted, with Co-op one of the only food retailers in some regions. In the Scottish Highlands, for example, residents reported widespread disruption to food supply chains in the wake of the incident.
"Service disruption in these regions illustrates the broader societal impact cyber events can trigger through concentrated retail supply chains," CMC said. "Co-op are said to have prioritized supplying these stores."
More generally, CMC highlighted the risks of disruption to modern retail models.
"The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows," the analysts said. "When systems fail, it is challenging to revert to manual processes."
The analysis recommended retail businesses stress-test their business continuity plans — including a fallback to manual ordering and inventory control as well as plans to maintain financial stability and be able to pay suppliers — and create a response plan for ransomware attacks.
To avoid such incidents, CMC said it was time to improve "cyber hygiene" across service providers and IT supply chain, in particular support desks — which are believed to be how the attackers accessed networks, using compromised credentials and "abuse of IT help desk processes."
MORE FROM ITPRO
-
Cyber skills shortages are pushing organizations into risky shortcutsNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Seagate and Acronis are teaming up to drive MSP storage capabilitiesNews Acronis will incorporate Seagate’s Lyve Cloud Object Storage into its archival storage offerings to help MSPs meet AI-driven data demands
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
Millions of customers have been exposed in the Qantas cyber attack – here’s everything we know so farNews While details remain murky, cyber experts told ITPro the Qantas incident bears all the hallmarks of the Scattered Spider ransomware group.
-
M&S aims for full online restoration within four weeks following major cyber attackNews M&S CEO Stuart Machin says the high street retailer plans to fully restore operations by August following a devastating cyber attack in April.
-
British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customersNews West Yorkshire man Mohammed Umar Taj was suspended from his job in Huddersfield in July 2022, and began taking revenge within hours.
-
A sneaky cyber espionage campaign is exploiting IoT devices and home office routers – here's what you need to knowNews Researchers at SecurityScorecard have issued a warning about a new China-linked threat campaign, dubbed 'LapDogs', targeting IoT devices and home routers.
