Financial impact of cyber attacks on UK retailers laid bare in new report
The M&S and Co-op attacks rated a category 2 on Cyber Monitoring Centre's scale
Cyber attacks against M&S and Co-op earlier this year cost anywhere between £270 million to £440m, according to analysis by the Cyber Monitoring Centre.
In April, British retailers were targeted with a series of ransomware attacks, with M&S taking down online sales and later admitting customer data was stolen. Co-op shut down aspects of its own IT system to limit disruption when it was attacked in a similar way.
Alongside those two, Harrods and other retailers were impacted by cyber incidents, but the CMC didn't include them in its assessment due to a lack of information. The attacks are believed to be the work of "Scattered Spider" hackers.
The mooted figures include the financial impact on M&S and Co-op, as well as their partners and suppliers, taking in lost sales as well as incident response, IT restoration and legal costs.
"Although both of the targeted companies suffered business disruption, data loss, and costs for incident response and IT rebuild, business disruption drives the vast majority of the financial cost," the CMC said in a statement.
M&S managed to return to limited online sales late last month after several weeks of disruption. According to the CMS, the financial impact of the incident amounted to around £1.3 million in losses per day.
"This is less than the total loss in turnover as it takes into account reductions in orders, stock that can be resold later, and not having to pay other variable costs," CMC said.
“We have not included any ransom payments as there is no evidence at this point that a ransom was paid or not paid."
M&S said last month that it expected the incident to cost £300m this year, but that would be reduced through "management of costs, insurance and trading actions."
Narrow and deep impact
Despite the high cost of the incident, the CMC only rated it as a "category 2 systemic event," with the worst possible rating being category five.
The organization noted that while the implications were significant, the impact was largely limited to the targeted companies and their partners, making it a "narrow and deep" event.
For comparison, last year's CrowdStrike outage would be considered a "shallow and broad" event, as many businesses were hit, but the impact to each was smaller.
"We are yet to see a deep and broad category four or category five event impact the UK," the CMC noted in its analysis.
"Had there been further widespread disruption in the sector, the categorization could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale."
Additional disruptions
CMC noted that M&S' own brand labelling added complexity, as such goods couldn't be rerouted to other retailers to sell before expiration dates, especially for prepared food and meats which have tightened regulations around packaging.
Another challenge was remote and rural areas, CMC noted, with Co-op one of the only food retailers in some regions. In the Scottish Highlands, for example, residents reported widespread disruption to food supply chains in the wake of the incident.
"Service disruption in these regions illustrates the broader societal impact cyber events can trigger through concentrated retail supply chains," CMC said. "Co-op are said to have prioritized supplying these stores."
More generally, CMC highlighted the risks of disruption to modern retail models.
"The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage, and high dependency on IT-driven order flows," the analysts said. "When systems fail, it is challenging to revert to manual processes."
The analysis recommended retail businesses stress-test their business continuity plans — including a fallback to manual ordering and inventory control as well as plans to maintain financial stability and be able to pay suppliers — and create a response plan for ransomware attacks.
To avoid such incidents, CMC said it was time to improve "cyber hygiene" across service providers and IT supply chain, in particular support desks — which are believed to be how the attackers accessed networks, using compromised credentials and "abuse of IT help desk processes."
MORE FROM ITPRO
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge
News Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
