Marks & Spencer loses billion in stock market value in one month due to a cyberattack.

LondonOnly those with a memory and several years of experience will remember the Marks & Spencer (M&S) store on Barcelona's Plaza Catalunya—it opened in 1999—in the same building that once housed the famous Banco Central, which was the site of the May 1981 robbery and now houses a Primark. And perhaps they also remember the one that used to be inside Illa Diagonal. These were two of the nine stores the British chain had in Spain since its first establishment in Madrid (1994). M&S abandoned all its operations in the continental market in 2001, when it closed the 38 stores it had on the other side of the La Manga Canal.

Last year, Marks & Spencer made its physical return to Spain, opening a new store in the La Vaguada shopping center in northern Madrid, this time operating as a franchise. The British press has recently speculated about the possibility of a physical return to Barcelona as well. In any case, whether it actually happens or not, the opening of the center in Madrid—as well as a couple in Malaga and Marbella—was the culmination—and perhaps the first step—of a new strategy that had been launched in 2012, with the opening of the Spanish virtual store.

But, for a month now, none of the chain's more than 9.4 million active online customers can buy anything through the website: not in Spain, not in the United Kingdom, nor anywhere else. The reason: a cyberattack—it became known at the end of April, but occurred on the 19th—which has caused the vast majority of the thousand-odd stores scattered across the United Kingdom to have supply problems and empty shelves, especially food stores (M&S Food) and food sections of larger stores.

Industry specialists estimate the losses caused by the cyberattack at 40 million pounds per week. In terms of stock market value, the company has lost £1 billion since then (a 17% drop), an economic impact that has already far exceeded its insurance coverage limit of £100 million. When will it return to normal? It's still weeks away.

Fifty-two hours of assault

The diary The Times revealed last week that, according to ongoing digital forensics analysis, the hackers operated undetected for approximately 52 hours before the alarm was raised. Emergency teams then defended the company's IT systems during a five-day "attack phase." Finally, after much secrecy, Marks & Spencer admitted last week that all the personal data of those 9.4 million customers was stolen, although credit card information was not compromised. In any case, both the police and the media have already reported scams through the usual means. phishing. But a massive presence of this data on the dark web has not been detected.

This week was supposed to be a jubilant one for the company, which presented its results on Wednesday. Analysts predicted a 17% increase in pre-tax profit, up to £875 million for the period March 31, 2024-25. But the cyberattack has turned optimism into pessimism. And the company has announced a loss forecast for next year of £300 million, slightly more than the profits obtained. Online commerce will not recover until July.

How was all this possible? According to all the analysts consulted, including Professor Hosein Abroshan of the School of Computer Science and computing at Anglia Ruskin University, hackers accessed M&S systems through the SIM card duplication fraud. Although the full technical details are still under investigation, the newspaper also The Times reported who took control of an employee's mobile number and used fake messages to trick them into believing they needed to reset critical login credentials, which they had to validate with their phone number.

The phenomenon is not new. According to CIFAS, the UK's national cyber fraud prevention service, SIM skimming incidents have increased from fewer than 300 in 2022 to almost 3,000 in 2023. What had been primarily a risk for cryptocurrency investors or online influencers is now much more common.

Beyond the attempted cyberattacks that are multiplying throughout cyberspace, the fact is that, in less than a month, other department stores (Harrods), supermarkets (Co-op), and cold-chain food distributors (Peter Green Chilled) that supply Aldi) have also suffered cyberattacks, although not as serious as the one on M&S. According to various reports published in the British press, a group called Scattered Spider, made up of British and American hackers, is behind these attacks. Google also reported this week that these hackers have now targeted US retailers. No one is safe.