The cyberattack on M&S could not have been prevented by more investment in technology, the retailer’s chief has said, as he blamed bad luck.
M&S started a multiyear investment programme in upgrading legacy technology systems last year, which it is now accelerating in light of the attack, to do two years of planned work in six months.
But M&S “didn’t leave the door open” for the cyberattackers who took control of its systems over the Easter bank holiday and “this wasn’t anything to do with underinvestment”, its CEO Stuart Machin said today.
“We have to be vigilant and lucky every day,” he said. “Threat actors only have to be lucky once.
“Everyone, I think, is vulnerable. You only have to read all the stories about how many cyberattacks there are every day. And for us, we were unlucky in this particular case.”
Social engineering
Providing more detail on the attack as he announced M&S full-year results, Machin said: “April started really strongly, continuing the momentum from last year, and then over the Easter bank holiday I got a call from one of the team to say they’d spotted some suspicious activity.
“Unable to get into our systems by breaking through our digital defences”, the attackers got in instead using “social engineering”, he said. It was the result of “human error” by “a third party”.
The third party is reported to have been M&S’s IT services provider Tata Consulting Services. Two TCS employee log-in details were used as part of the breach, according to Reuters.
Once in, the attackers “used highly sophisticated techniques”, said Machin.
“Thankfully, the time between gaining access and detection by our team was short, certainly much shorter than the average.”
On who was accountable, Machin said: “We know through that human error, this social engineering, how the threat actor got in.
“At the end of the day, the person running the company is me. As CEO, I’m accountable for making sure we transform this organisation. That’s what we’ve been doing for three years.
“I’m accountable to make sure we’re getting through this disruption. We’ve learned from it. We’ll recover from it and we’ll fix it and that’s what we’re doing.
“And I’m the person, with my leadership team, who’s going to take us through the next phase of this transformation and get back on track and the team spirit has been phenomenal.”
Profit impact
M&S has estimated a £300m impact on operating profit for the financial year for 2025/26, which it expects to reduce through management of costs, insurance and trading actions.
Machin said the cost-cutting plans did not include redundancies.
“The £300m sounds a big number, but it is a one-off number and therefore a gross number,” he said.
“We have got a very strong balance sheet and we’re in very good financial health.
“And we know we can offset some of that, as I’ve said with trading cost mitigation and insurance. So it will be a number a lot lower at a net level.
“The truth is, versus our whole transformation, the number really isn’t so very significant. Therefore, it doesn’t have any impact in our transformation plan. There are no plans on redundancies or any of that.”
On tech upgrades, he said: “We’re using the recent disruption to leapfrog and accelerate two years of technology work into six months.”
“The reason we had to scope it out over a couple of years is because it would disrupt the business,” he added. “Now were disrupted, we’ve cracked on and we’re doing it quickly.”
M&S sales rise
M&S sales were up 6.1% to £13.9bn in the year to 29 March, before the attack took place. Profit before tax and adjusting items was up 22% to £875m.
Food continued to be its strongest performer, with sales up 8.7% to £9bn. Fashion, home and beauty sales rose 3.5% to £4.2bn.
Machin added: “We’re in a very good place. The business ended last year with very strong momentum. In fact, during the last few weeks we’ve been resilient and trading has been resilient and we’ll get back on track. The food business is trading well.
“The clothing business in stores is a bit softer than we would like, but when we get the online business back we want to get back to normal as quickly as possible.”
M&S online clothing and home sales have been suspended for a month as a result of the attack, with the retailer now estimating the disruption will continue to July.
“I’m not putting an actual date on it, but online will be up and running within a matter of weeks,” said Machin. “Probably about 85% of our range will come online quite quickly.
“The reason we’ve been prioritising different distribution centres, in order to bring up the systems that we chose to cut off, is we’re doing it stage by stage.
“It will be earlier than that [July], but we’ve given ourselves scope just to make sure we’re fully up and running 100%, delivering the right proposition.
“It will be across all categories.”
M&S admitted last week that the attackers had gained access to customer data including contact details, date of birth and online order history, but not usable payment card details.
Machin said: “We will engage our customers and we also sincerely thank them because they have been brilliant in their support for us.”
No comments yet