Marks & Spencer cyber attack: Everything we know so far - and what has happened at Co-op and Harrods

The attack, which happened three weeks ago, has seen online orders paused and logistical issues, with some shelves - including those bearing the famous Percy Pig sweets - falling bare.

Now signs have been spotted that the logistics problems that the attack has caused has affected the availability of meal deals. A notice pinned up in the Victoria Station branch reads: “Due to availability issues, we are temporarily unable to fulfil this meal deal. Please bear with us while we work through this”, reports grocery.gazette.co.uk.

An M&S spokesman said: “Customers can still buy meal deals in our rail station stores but there are pockets of availability for some items. We are working hard to continue getting our products into stores.”

Here’s everything we know so far about the Marks & Spencer cyber attack...

When did it happen?

M&S first reported the issue over the Easter weekend and confirmed on Tuesday, April 22 that it had had to make “minor, temporary changes” to store operations in order to protect customers and its network.

In an email to customers then, M&S chief executive Stuart Machin said: “I’m writing to let you know that over the last few days M&S has been managing a cyber incident. To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.”

What problems has the cyber attack caused?

At first it led to contactless payment failures and disrupted the ability of customers to collect online orders over that weekend. M&S has since restored contactless payments in stores, but Click & Collect orders and some returns services remain affected.

M&S then paused online orders because it shut down it systems to deal with the attack. While its website is still up and shops and still open, its logistics operation has been affected and some stores have seen stocks run low.

The company has also been unable to hire new workers after pulling job adverts from its website as tech experts seek to resolve issues across its online systems.

Who is behind the attack?

A group called Scattered Spider is thought to be the culprit, although nothing has been officially confirmed. Scattered Spider is a cybercriminal group that targets large companies and their IT help desks. Members have previously engaged in data theft for extortion and have been known to use BlackCat/ALPHV ransomware.

Experts agree that ransomware was used in M&S's case. The group includes young members, some as young as 16, with a range of skills who frequent the same hacker forums, Telegram channels and Discord servers.

How was the Marks & Spencer attack carried out?

Again, nothing has been confirmed officially, but the boss of the National Cyber Security Centre Ollie Whitehouse wrote a blog post over the weekend which mentioned the possibility that “social engineering had been used by threat actors targeting IT helpdesks to perform password and MFA (multi-factor authentication) resets, a technique that the group has been reported to use in the past.”

What’s the most recent update from Marks & Spencer?

In a message to customers on Friday, Marks & Spencer boss Stuart Machin thanked customers for their patience but did not say when normal operations would resume - but urged them to visit stores in person over the bank holiday.

He said: “We are really sorry that we’ve not been able to offer you the service you expect from M&S over the last week. We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible.

“Thank-you from me and everyone at M&S for all the support you have shown us. We do not take it for granted and we are incredibly grateful. Our teams are doing the very best they can and are ready to welcome you into our stores – whether you are shopping for food or for fashion, home and beauty this bank holiday weekend.”

Which other retailers have seen cyber attacks?

The Co-op has been unable to take card payments in some of its stores as shoppers also face empty shelves because of the continued fallout of a major cyber attack.

The Manchester-based co-operative is among a number of retailers, including Marks & Spencer and Harrods, to have been hit by hacks on their IT systems in recent weeks.

Customers reported on Tuesday that three stores in Manchester had signs indicating that they were “cash only” as their card machines were offline. It is also understood that contactless payments have also been affected in a small number of stores, with the group working to get normal systems restored. The vast majority of the retailer’s 2,300 shops are still taking usual forms of payment.

It comes as shoppers have also highlighted empty shelves in some stores, alongside signage indicating that availability has been affected by the cyber attack.

A Co-op spokesman said: “This means that some of our stores might not have all of their usual products available and we would like to say sorry to our members and customers if this is the case in their local store. We are working around the clock to reduce disruption and resume deliveries. We would like to thank our colleagues, members, customers and suppliers for their understanding during this time.”

Last week, the Co-op apologised that hackers extracted members’ personal data such as names and contact details. It said it had to shut down parts of its IT systems after experiencing “sustained malicious attempts” to access its systems.

Luxury London department store Harrods said it had restricted internet access across its sites on Thursday as a precautionary measure following an attempt to gain unauthorised access to its systems.

Who is investigating the cyber attacks?

On Friday the Information Commissioner’s Office said it is looking into the Marks & Spencer attack, as well as a similar incident involving the Co-op.

Stephen Bonner, deputy commissioner at the ICO, said: “We can confirm we have received reports from Marks and Spencer plc and the Co-op Group. We are making enquiries with these organisations and working closely with the National Cyber Security Centre (NCSC).”

What has the government said about the Marks & Spencer cyber attack?

The CyberUK conference is taking place in Manchester from today until Thursday. Chancellor of the Duchy of Lancaster Pat McFadden is due to speak and an excerpt from his speech has already been made public. He is due to say: “These attacks need to be a wake-up call for every business in the UK. In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cybersecurity as an absolute priority.

“We’ve watched in real time the disruption these attacks have caused, including to working families going about their everyday lives. It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work, we have to treat our digital shop fronts the same way.”