In the same April week, two important retailers in the UK, Co-op and Marks & Spencer, were hit by major cyber-attacks. The attacks on Co-op and M&S are said to have been carried out by the same hackers. Among others, the attacks disrupted supply chains leading to empty shelves.
In order to protect the company, Co-op had shut down some of its systems. According to insiders, the company narrowly averted being locked out of its computer systems during the attack. Nevertheless, the retailer confirmed that the criminals were able to steal private customer data.
Marks & Spencer also admitted that personal customer data was stolen in the hack, including dates of birth, household information, telephone numbers and ‘masked’ payment card details, the theft did not include any account passwords. The attack affected the company’s loyalty app, online orders and contactless payments as well as parts of the supply chain. Some of the M&S stores had to turn into cash-only.
A good two months after the cyber-attack, M&S had started taking some online orders again.
A law firm has prepared for a class action data lawsuit against M&S, it signed up over 350 claimants in one week. The theft of customer data, while not an immediate concern on its own, does open up customers to a greater risk of fraud and scams with people either posing as M&S or using the stolen data to feign knowledge of the customer.
The food and beverage industry has faced growing criticism for its inadequate preparedness against cyber threats, with experts labelling its defences as weak. This vulnerability was starkly highlighted by a Marks & Spencer head office employee, who revealed to Sky News that the company “had no business continuity plan” in place for a cyber-attack.