Marks & Spencer Group Plc is facing a £300 million ($403 million) hit to operating profit this fiscal year from a cyberattack last month it blamed on human error that is still disrupting sales and operations
.
The British retailer will try to mitigate the impact with cost savings and insurance payouts, it said Wednesday. Online clothing and home orders, which account for more than £3 million of sales a day, will resume “in a matter of weeks,” M&S said, with the disruption expected to continue into July.
It is a major setback for a business that was delivering on Chief Executive Officer Stuart Machin’s turnaround plan. M&S reported the highest pretax profit in 15 years for the year that ended before the cyberattack, as shoppers bought more groceries and as the brand shook off its reputation for dowdy clothing designs.
Read more: M&S’ Slow Recovery From Cyberattack Puts it at Risk of Lasting Damage
M&S’s shares rose 2.6% in London, reversing an earlier decline and paring a 10% drop since the attack was announced on April 22.
The company called the attack a “bump in the road,” but the hit to operating profit — which is roughly equivalent to a third of last year’s performance — is worse than analysts expected. Still, quantifying the cost suggests “management is confident a solution is in sight,” analysts at Deutsche Bank said in a note.
M&S is only just starting to flesh out details of the attack, which forced it to halt contactless payments and created gaps on shelves as it took some IT systems offline. Last week it said some personal customer data was stolen.
Hackers entered M&S’s systems via “human error” at a third party, Machin told reporters on a call. He declined to comment on media reports that the business partner was Tata Consultancy Services, saying only that M&S is “grateful to all third parties we work with.”
“We have to be vigilant and lucky every day — threat actors only have to be lucky once,” he said. “We didn’t leave the door open, this wasn’t anything to do with under-investment.”
A cybercrime gang known as “DragonForce” has taken credit for the M&S hack, as well as other attempts to infiltrate grocer Co-op Group and luxury department store Harrods Ltd. The group told Bloomberg it carried out the attacks with partners to extort money from victims and plans to hit the UK’s retail sector again, saying the recent breaches were “just a start.”
