This ransomware attack has caused huge disruption to the retail giant. The attack took place during April, with online sales being suspended for over 8 weeks from the Easter weekend until 10 June (and even then not completely reinstated). The hackers impersonated a trusted person to gain access to the company’s systems. M&S has confirmed that customers' personal data has been taken, although it has sought to reassure customers that it doesn’t include useable payment details or account details, and there is currently no evidence that it’s been shared further. The incident has, however, cost M&S an estimated £300m in profits this year.
At the beginning of May, hackers infiltrated Co-op’s IT systems and were able to access customer and employee data. The company has stated that no password or payment data was accessed. News reports suggest that Co-op avoided a more severe outcome by intervening whilst the hackers were present on its systems, demonstrating the value of swift identification of a security threat and intervening actions. Whilst Co-op hasn’t shared much about the nature of the incident, it has been suggested that hackers were able to infiltrate the company’s Teams account and sought to extort the company for money and the incident had a marked effect on Co-op’s ability to trade, with it being unable to manage stock in stores.
Shortly after Co-op announced it had been subject to a cyber-attack, the luxury retailer Harrods confirmed it had also been targeted. It restricted internet access across its sites to prevent unauthorised access, and there doesn’t appear to have been any loss of data or unauthorised access to its systems, again demonstrating the importance of robust processes and response times.
On 23 May, Adidas published a statement confirming that it was aware that an unauthorised external party obtained certain consumer data through a third-party customer service provider. Similarly to M&S and Co-op, it stated that no password or payment data was obtained, and the data leak largely consisted of contact information relating to customers.
The outcomes and damage caused by the above incidents vary case-to-case. The M&S incident is an important example of how severe the consequences can be, and how it is worth investing in your cyber security practices before an attack takes place.
