The M&S cyberattack has caused chaos – Britain’s enemies will be watching and learning

Shoppers looking to top up their Sparks points or pick up their weekly groceries may find things difficult at Marks & Spencer, which is still reeling from the impact of a cyber incident – believed to be a ransomware attack – launched against its business last month.

The supermarket announced on Wednesday in a stock market update that disruptions are expected to persist through July. It also informed investors that its online sales and profits in the fashion, home, and beauty departments have been “heavily impacted”.

Co-op shoppers may well count their blessings, as we’ve recently learned that the retailer has taken “proactive measures” to mitigate the dangers of its own cyberincursion.

Combined with ever more headlines about high-profile hacks, and even suggestions that cybercrime was behind the recent countrywide power outage in Spain and Portugal – something the countries have denied – it’s easy to think we’re in the throes of a major hacking flurry.

Such a supposition would be correct. The cold, hard reality is that although we’re facing the impact of the attacks at first hand, with bare supermarket shelves and disrupted businesses, when it comes to the problems businesses are facing daily from cybercriminals, this is just a drop in the ocean.

“These are high-profile names so make the headlines, but they are the tip of an iceberg of attacks daily,” says Alan Woodward, professor of cybersecurity at the University of Surrey.

“These serious criminal attacks tend to come in fits and starts, with no obvious pattern,” says Ciaran Martin, a former head of the National Cyber Security Centre, and now a professor at the University of Oxford.

While many have been keen to try to combine the attacks against supermarkets with other issues unrelated to cybercrime, such as the electricity outages in Spain and Portugal, the reality is that there’s often little connection between the individual actions. “I don’t think these particular attacks are linked,” says Woodward. “They’re probably different malware and groups.”

Although little is known about the attempted hack that the Co-op reportedly managed to repel recently, the group behind the Marks & Spencer attack is believed to be Scattered Spider, an English-speaking entity whose members were linked to a 2023 ransomware attack against two US casino operators, which brought Las Vegas hotels to their knees.

open image in gallery

The reason why hackers launch these attacks is simple: many victims end up paying. Although official advice is to stand firm against criminals, the chaos it can cause to businesses – one retail expert has said M&S could be losing £3.5m a day in lost sales, while its stock market value has also taken a hit – means many do pay up.

That results in a bonanza for cybercriminals. While the total estimated takings by ransomware gangs in 2024 ($813m) were down from 2023’s record-breaking year of $1.25bn, according to Chainalysis, it’s still a pretty penny. The UK government is planning on introducing legislation to make ransomware payments by public bodies illegal.

open image in gallery

And each attack has an impact. “They’re a reminder to private and public sector leaders that rampant cybercrime is a potent threat to their organisation,” says Martin. He’s also concerned that the attacks and our comparatively limp response to solving the issue (M&S has been struggling to fix things since Easter) set a precedent that encourages more hacks.

“What it does indicate is the inexorable rise in the number of attacks,” says Woodward. “We’re getting better at repelling attacks, but occasionally one will get through due to the increasing volume.” It’s akin to the old warning by the Provisional IRA in the 1980s: “We only have to be lucky once. You will have to be lucky always.”

“My national level worry is that this gives other bad actors a playbook on how to disrupt Britain at scale,” says Martin. “We can cope with these attacks individually, painful though they are. But what if lots of them are launched at the same time? I think that’s becoming the strategic worry rather than the single big, spectacular, Hollywood movie cyberattack.”

open image in gallery

Leaders in countries like Russia, North Korea and Iran – all of which reportedly have state-sponsored hacking groups, and all of which have tried at one time or another to target Western countries like the UK with these kinds of attacks – will be looking on and learning from how we’re responding to these mischief makers and private criminal enterprises. “There are worrying signs that some potentially hostile states are catching on to the potential of these types of attacks as a weapon against us,” says Martin. “They’re learning from the criminals.”

“Today’s hackers don’t just break into computers; they break the trust between companies by abusing supplier links, employee accounts and APIs [application programming interfaces] all along the supply chain,” says Nathaniel Jones, vice-president of security and AI strategy at Darktrace, a cybersecurity company.

Tackling that scourge is tricky, says Jones. Having deep defences, and an environment where individuals are always asked to prove their identities, and to limit access to private files – sometimes called a “zero-trust” approach – can help. “But putting those ideas into practice is tough in retail, where systems and suppliers change all the time,” Jones admits.

open image in gallery

Still, more work needs to be done – and it can’t just be from the businesses themselves, believes Jones. “The government also has an opportunity to drive up cybersecurity standards in its upcoming Audit and Corporate Governance Bill, which could play an important role in addressing these risks,” he says.

The reason why we need to address the issue can be seen on the shop floors and hospital wards that have faced down the hackers and struggled. “The disruption is a direct result of our hyper connectivity, and the fact that many have moved their services online as it’s cheaper,” says Woodward. “The government has identified what is critical infrastructure and does make efforts to work with those that provide the services so they are robust. But loss of a single service, say an online government service where one can deal with them only online, can cause enormous disruption to life.”

Woodward believes government is less worried about a single big attack and more about lots of individual, sustained attacks against smaller, softer targets. “Yes, someone might try to take out the grid – and never say never – but it’s more likely it will be gumming the works in local government, telecoms, hospitals and banking,” he says. It’s for that reason that Woodward keeps cash and a few days’ worth of water in his cupboard – and food too. Because you never know when the shops might stop.