Cyberattacks blight Britain's retailers as M&S, Co-op's systems' breached

By James Davey and Sarah Young

LONDON (Reuters) -Britain's Marks & Spencer entered a second week unable to take online orders on Friday following a major cyberattack, while food retailer the Co-op Group said hackers had stolen customer data.

Some 700 million pounds ($930 million) has been wiped off the stock market value of M&S since the hack was revealed last week, and news that the Co-op and London department store Harrods have also faced incidents in recent days was described as a "wake up call" by the government's National Cyber Security Centre (NCSC).

British companies, public bodies and institutions have been hit by a wave of cyberattacks in recent years, costing them tens of millions of pounds and often months of disruption.

The 141-year-old M&S, one of the best known names in British business, stopped taking clothing and home orders through its website and app on April 25 following problems with contactless pay and click and collect services over the Easter holiday weekend.

The Co-op first revealed a cyberattack on Wednesday but said on Friday that information relating to a significant number of its current and past members, including personal data such as names, contact details and dates of birth had been taken.

Ciaran Martin, the former CEO of the NCSC, told Reuters that so far there were no signs that the attacks on M&S, the Co-op and Harrods were linked, with the latter two possibly discovered as a result of increased vigilance following the M&S incident.

"If this can happen to M&S, it can happen to anybody," he said, noting that after such a serious attack there was nothing unusual about the length of the recovery period.

On Friday, M&S CEO Stuart Machin again apologised to shoppers, without saying when online ordering would resume.

"We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible," he said in an email sent to M&S customers.

With M&S, which has about 1,000 stores across Britain, making around one-third of its clothing and home sales online, analysts have said a short-term profit hit is inevitable.

M&S has declined to quantify the financial impact, which is growing by the day as it misses out on sales of new season ranges with the UK basking in record May temperatures.

Commuters were locked out of their accounts for almost three months last year after a cyberattack at London transport operator TfL, while a cyberattack on a blood test processing company in London also last year disrupted services for over three months.

Availability of some food products has also been affected in some M&S stores, while the disruption may be having a broader impact on the business, which has pulled job postings on its website.

Shares in M&S closed down 1%, extending losses since Easter to about 9%.

'INCREASINGLY SOPHISTICATED' ATTACKS

Helen Dickinson, CEO of trade body the British Retail Consortium, said cyberattacks were becoming "increasingly sophisticated", forcing retailers to spend hundreds of millions of pounds every year on defences.

"All retailers are continually reviewing their systems to ensure they are as secure as possible," she said.

Technology specialist site BleepingComputer, citing multiple sources, said a ransomware attack that encrypted M&S's servers was believed to have been conducted by a hacking collective known as "Scattered Spider".

The NCSC is working with the affected retailers, while the Metropolitan Police's Cyber Crime Unit and the National Crime Agency (NCA) are investigating the M&S attack.

“These incidents should act as a wake-up call to all organisations," said NCSC head Richard Horne.

Labour lawmaker Matt Western, Chair of parliament's Joint Committee on the National Security Strategy, said the government should do more to prevent major cyberattacks.

"As the Government concludes its consultation on proposals to counter ransomware, I hope its response treats these threats with the seriousness they clearly deserve."

($1 = 0.7524 pounds)

(Reporting by James Davey and Sarah Young, editing by Kate Holton, Elaine Hardcastle and Louise Heavens)