Beloved British retailer Marks & Spencer released its annual results today, revealing a £300m hit to profits from a ransomware attack.
Although the group beat analysts’ expectations with its full-year numbers to post a 22.2% rise in underlying pre-tax profit to £876m, all eyes were on the impact of the hack which began over Easter weekend.
M&S has had to suspend online orders for three weeks, and it said today the disruption would likely continue until July.
See also: SJP’s Dr Sarah Ruggins breaks cycling record
Aarin Chiekrie, equity analyst at Hargreaves Lansdown, said: “The cyber-attack looks set to cause a £300m hit to operating profits this year, which management will look to try to partly offset through a tight grip on costs and other trading actions throughout the year.
“It’s reported that M&S has insurance in place to cover as much as £100m of the costs. And luckily, the warm Spring weather should have driven more footfall to the high street, so it’s likely that a decent chunk of online sales will have shifted to in-store to help soften the blow.
“While that’s frustrating for investors, the bigger picture needs to be kept in mind. The cyber-attack is likely a one-off event, and the underlying business is performing well.”
There have been several targeted attacks on organisations in the last few weeks. A supplier to major UK supermarkets and a government agency are the latest victims of hacking, following a high-profile hack on the Co-operative Group and an attempted hack on Harrods.
The government’s Legal Aid Agency said it first became aware of a cyberattack last month, but it wasn’t until last week that it realised the attack was “more extensive than originally understood”.
Hackers have accessed a large amount of information relating to legal aid applicants, such as domestic abuse victims. The agency has taken down its online service while it deals with the hack.
Meanwhile logistics firm Peter Green Chilled, which supplies Tesco, Sainsbury’s and Aldi, told the BBC it has been a victim of a ransomware attack. It has had to pause sending orders, risking large-scale food waste if chilled goods can’t be delivered in time.
M&S announced on 22 April that it had experienced a cyber incident, and three days later it stopped taking orders online and through its app. Last week it announced that some customer data had been taken by fraudsters, adding to the company’s woes.
M&S’s share price recovered slightly in relief that hackers had not managed to access usable card details or payment data, but before this it had fallen almost 18%.
Empty shelves at Co-op
Co-op suffered a breach on 30 April which saw customer and employee data accessed. It has experienced stock shortages at stores since the incident, but managed to avert a more drastic crisis by shutting down parts of its IT systems, according to reports.
On 1 May, luxury department store Harrods said it had restricted internet access at its sites after an attempt was made to gain unauthorised access to its systems.
The same ransomware group which has claimed responsibility for the M&S hack, ‘DragonForce’, says it was also behind the attacks on Co-op and Harrods. It is believed to be trying to extort money from the retailers by threatening to scramble, leak or destroy valuable data.
Jon Hudson is manager of the Premier Miton UK Growth fund, which counts M&S as one its top 10 holdings. He said the cyberattack is particularly frustrating for M&S because its food and clothing ranges had been popular with customers in recent years, and it had seen great sales momentum.
“In fairness to M&S, they have been quite open to the market about the challenges confronting them on technology,” said Hudson.
“At the Capital Markets Day last November, they highlighted they used over 600 applications, which is far too many. The opportunity was to streamline this and offer customers a better experience, but it is also likely to have increased their vulnerabilities to a cyber-attack.”
Despite the short-term hit to profitability from lost online sales, Hudson thinks M&S will bounce back in the longer term, although it will have to repair trust with customers.
“The costs of a cyber-attack are typically in the form of lost sales, for instance, M&S has stopped taking online orders, but it’s also been struggling to replenish shelves in its food business. It is also likely to suffer reputational damage as well as increase its spending on IT to make its systems more resilient to future attacks.
“Historically, while cyber-attacks have a short-term impact on profits, once recovered, it is typically forgiven and forgotten by both customers and investors. If they can convince investors they have addressed the issue, it shouldn’t impact the long-term value of the company,” he added.
Third parties are the weak link
Cyberattacks are not new, but increasingly determined and sophisticated hackers will require businesses to think carefully about any vulnerabilities in their systems and how they store customer data.
This includes third-party suppliers that might be a weaker link – the BBC reports that hackers gained entry to M&S through a third party that had access to its systems. Investors in businesses that could be at risk will also need to do their own due diligence here, but it’s not always easy to assess.
Alan Bartlett, CEO of Goodhart Partners and co-manager of the £114m Global Opportunities trust, said: “It’s hard to specifically talk to company management about what they’re doing, because no-one’s going to be saying they don’t do anything sensible.
“But it’s clearly a big issue, for regulators in our industry as well.”
Insurance cover for cyberattacks is becoming more expensive, while hackers are getting more sophisticated by harnessing the power of AI, he added.
Security over productivity
Security is one of several macroeconomic themes Bartlett focuses on in the Global Opportunities trust, and this includes defence but also cybersecurity.
He said direct plays in cybersecurity can be expensive, and it’s hard to pick the winners in such as fast-changing area, so he invests in defence companies that can commercialise their technology for non-defence sectors at a lower cost.
“Cybersecurity is something that everybody has been worrying about for years and every company is investing in,” he said.
“I don’t think what happened to Marks & Spencer is news to anyone, it’s just reinforcement of the danger. Clearly, you need to think about security on every level, and this is one of the themes we think is a negative for economic growth over the coming years.
“It creates uncertainty and risk and causes people to prioritise security over productivity.”