M&S boss issues major cyber attack update after online orders paused

THE boss of M&S has issued an update to customers as a major cyber attack continues to cripple the retailer.

Stuart Machin has said it could still take around "five or six weeks" until shoppers can carry out online clothing orders.

Portrait of Stuart Machin, Marks & Spencer boss, in a store. — Stuart Machin has said online clothing orders may not return for up to six weeksCredit: Marks & Spencer

In an interview with The Daily Mail, Mr Machin added he "went into shock" after first finding out computer systems at the chain had been compromised.

However, the chief executive of one of UK's most well-known retailers said the ongoing fallout was not a crisis and more "a setback".

M&S has been dealing with the cyber attack since last month, with customers first noticing issues on April 19.

Two days later, the retailer acknowledged it was dealing with an attack but was working with cyber security experts to resolve it.

Read more on Retail

CHECK IT OUT

Tesco makes major change to self-checkouts in bid to crackdown on shoplifting

SHAKE-UP

Sainsbury's issues update on patisserie and hot food counter closures

The group suspected to be behind the attack are known as "Scattered Spider" - a notorious cyber-criminal collective.

On April 24, M&S said contactless payments and click and collect services were still unavailable.

A day later, the retailer confirmed it had suspended all online and app orders in the UK and Ireland.

This decision led to a 5% drop in the company’s share price.

Shoppers were also reporting empty shelves in some stores in April, with staple items including bananas and fish out of stock.

M&S was also forced to temporarily suspend its meal deal offers in some of its smaller stores in transport hubs.

M&S BEST BUYS

Earlier this month, it revealed some customer information was stolen during the attack, not including card details or account passwords.

M&S has still yet to confirm the specific nature of the cyber breach.

Co-op and luxury retailer Harrods were also hit with hacking attempts last month with the former forced to shut down part of its IT system.

Co-op told staff at the time it had "taken proactive steps to keep our systems safe".

Timeline of M&S' cyber attack

Saturday, April 19: Initial reports emerge on social media of problems with contactless payments and click-and-collect services at M&S stores across the UK. Customers experience difficulties collecting online purchases and returning items due to system issues.
Monday, April 21: Problems with contactless payments and click-and-collect persist. M&S officially acknowledges the "cyber incident" in a statement to the London Stock Exchange. CEO Stuart Machin apologises for the disruption and confirms "minor, temporary changes" to store operations. M&S notifies the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) and engages external cybersecurity experts.
Tuesday, April 22: Disruptions continue. M&S takes further systems offline as part of "proactive management".
Wednesday, April 23: Despite earlier claims of customer-facing systems returning to normal, M&S continues to adjust operations to maintain security. Contactless payments are initially restored, but other services, including click-and-collect, remain affected.
Thursday, April 24: Contactless payments and click-and-collect services are still unavailable. Reports surface suggesting the attackers possibly gained access to data in February.
Friday, April 25: M&S suspends all online and app orders in the UK and Ireland for clothing and food, although customers can still browse products. This decision leads to a 5% drop in M&S's share price.
Monday, April 28: M&S is still unable to process online orders. Around 200 agency workers at the main distribution centre are told to stay home.
Tuesday, April 29: Information suggests that the hacker group Scattered Spider is likely behind the attack. Shoppers spot empty shelves in selected stores.
Tuesday, May 13: M&S revealed that some customer information has been stolen.
Wednesday, May 21: The retailer said disruption from the attack is expected to continue through to July.

However, it later emerged a "significant" amount of customer data was stolen, including personal information such as names, dates of birth and contact information.

The retailer said members' passwords, credit card details and transaction information were not leaked.

Harrods shoppers meanwhile were warned it had "restricted internet access" after the attempted breach left some customers struggling to pay.

Last week, Mr Machin compared the financial toll from M&S' cyber attack to the recent hike to employer National Insurance Contributions, national minimum age and added costs associated with new environmental packaging rules.

Speaking to The Sun, he admitted hackers had dealt a heavy blow to its turnaround but was confident of weathering the storm.

He described the decision to switch off online orders as “chopping off the threat at its knees” and said he realised “that we had to go through the pain to come back later".