Over a week has passed since Marks & Spencer was first hit by what they called a “cyber incident” on Easter Monday, causing issues with click-and-collect services and contactless payments
In a new development today (April 30) the Co-op said it took “proactive measures” after an attempted cyber attack caused a “small impact” to its call centre and back office.
While not much else has been reported on the Co-op, for M&S, external cybersecurity experts were soon called in to assist with the problem, but the issues rumbled on as the retailer suspended gift card payments and some parcels have been delayed.
M&S has had to make several customer announcements, with the last one on Friday stating that online orders have had to be halted due to the ongoing problem.
Warehouse agency workers at its main distribution centre in the East Midlands were also told to stay at home due to the ongoing crisis, while M&S’ staff were asked to come in.
There is little indication of when online services are expected to return to normal, but the BBC reported it could take until the end of this week for overall operations to begin getting back on track.
With M&S’ clothing and homeware sales equating to £1.27bn in its latest results, analysts estimate that the retailer could be losing around £3m per day due to the cyber attack.
Lead from the front
M&S hasn’t divulged information on what or who is behind the attack, but many cybersecurity experts have speculated on the cause from Ransomware to malware attacks.
Research by Barclays Corporate Banking and Retail Economics in July 2024 revealed that cyber and data threats were the top concern for UK retailers. Of those surveyed, 34% perceived cyber and data threats as the biggest risk.
For customers, many demand convenient, seamless and speedy shopping and could look elsewhere if the crisis continues.
What is important is how M&S continues to deal with the situation.
Customers expect honesty, leadership and proactive communication, and this is something the retailer is doing well, according to Hayley Goff, chief executive of B2B tech PR agency Whiteoaks International.
“M&S’ chief executive Stuart Machin was fast to acknowledge the issue to customers,” she tells Retail Week.
“In the absence of resolving the issue, regular, transparent updates have been critical to managing uncertainty during a period of heightened scrutiny.”
She adds that this approach with Machin front and centre demonstrates the value of a pre-prepared crisis communications strategy.
“Handled the wrong way, cyber-attacks can irreparably define a brand’s reputation. Handled the right way, they can define its resilience.”
Customer confidence in the brand may take a while to recover however, as shoppers may be concerned about data and security.
Payabl head of product Breno Oliveira told Retail Week that the attack has shown that “trust and security remain non-negotiable.”
“Our recent research finds 71% of European shoppers would rather endure a slower checkout if it means stronger security.
“43% are deterred from returning to a merchant if they have a poor checkout experience, with UK shoppers the least forgiving of friction.”
Lessons to be learned
Of course, M&S isn’t the first victim of a cyber attack.
The Works suffered a cyber attack in 2022, which caused online orders to be disrupted and several stores to close, while an attack on supply chain management software provider Blue Yonder in November 2024 caused havoc for its customers, which included Asda, Tesco, Waitrose, Sainsbury’s and Morrisons.
Digital Ocean senior vice president Suhaib Zaheer said that going forward, businesses must prioritise “clear, timely communication” to minimise customer frustration amidst cyber incidents.
“From testing customer journeys to ensuring plans are in place for digital communications and support channels, retailers need a comprehensive strategy that enables them to maintain service continuity even when systems are compromised.
“This foundation must be backed by robust, scalable cloud infrastructure and proactive, year-round efforts to identify and eliminate inefficiencies.”
He adds that this will help online platforms perform reliably even when under pressure, while still meeting customer expectations.
Oliveira believes the cyber issues at M&S is a learning curve for fellow retailers to review payment systems and put plans in place to limit any risk of similar incidents.
“Businesses that do this, while still offering both speed and security via state-of-the-art payments technology, will be the ones that retain existing customers, gain new ones, and ultimately, drive business growth.”
No comments yet