Q&A: Why is it taking M&S so long to recover from a cyber attack?

Marks and Spencer is still suffering the effects of what it has called a “cyber incident” which began last week.

The retailer is still not taking online orders and shelves in some stores are now empty after it took some of its systems offline in response to the incident.

Here is a closer look at what has happened, and why it is taken the firm so long to recover.

– What has happened to Marks & Spencer?

The retailer has been struggling with its internal services for more than a week after being hit by what it is calling a “cyber incident” over a week ago.

The incident first affected the firm’s contactless payment and click and collect orders, before M&S then paused online orders through its app and website. These have remained down since.

In addition, some M&S stores have now been left with empty shelves.

A spokeswoman for M&S said on Tuesday that it had taken some of its system “temporarily offline” as part of its “management” of the incident, and this had meant “pockets of limited availability” in some stores.

On Wednesday, the Metropolitan Police confirmed it was investigating the incident.

– Do we know what caused the ‘cyber incident’?

M&S has not confirmed the cause, but it has been widely reported that the company has been the victim of a cyber attack, and specifically a ransomware attack.

Ransomware incidents involve hackers gaining access to a computer system and using malware to steal or block access to files – often encrypting them – before demanding a payment, usually in cryptocurrency, to return the impacted data.

Many cybersecurity experts, and the official advice in the UK, urge organisations not to make ransom payments in incidents like this, because there is no guarantee that the hackers will return the stolen data, and making payments can help criminal enterprise and encourage others to carry out similar attacks in the future.

A hacking group operating under the name Scattered Spider has been linked to the attack, according to reports, with technology industry title Bleeping Computer first linking the group to a potential ransomware attack against the retailer.

However, that group, nor any other, have yet publicly claimed responsibility for the incident.

– Why is it taking so long for M&S to recover?

Cyber attacks are complicated incidents which can be difficult to recover from.

Unlike non-malicious events such as service outages, which are often down to faulty updates or human error which can be quickly identified and resolved, cyber attacks often involve malware sweeping through different, complex systems and causing widespread problems.

As a result, it can take time to get on top of, requiring thorough analysis to ensure hackers have been properly expelled.

– What have cybersecurity experts said?

Industry expert Sam Kirkman, director of services for Europe, the Middle East and Africa at cybersecurity firm NetSPI, told the PA news agency the hackers had likely targeted M&S’ “core IT infrastructure”, which means attackers can “cripple multiple areas a business at once, maximising their impact and making it very difficult to recover without extensive rebuilding of key IT systems – which takes time.”

He said: “To use an analogy: rather than target individual branches of the tree, these attackers have likely targeted the roots.

“Recovery will require careful use of the limited resources that remain. Rushed decisions may compound the difficulties already present.”

He added that the very nature of such attacks was designed to pressure an organisation into paying a ransom.

“Most ransomware attacks will target the central systems used to manage IT across an organisation,” he said.

“This is designed to hinder recovery, by limiting the ability of administrators to take corrective action. This is used to pressure and organisation into paying the ransom demand.

“M&S is almost certainly dealing with ‘circular dependencies’ as a result of this attack. It is very common for modern IT systems to rely on other IT systems.

“Where this is the case, it is often necessary to restore systems in a specific order and/or across a large area of the business before normal operations can be resumed. This means that progress may appear slow, until the final stages of recovery.”

Mr Kirkman said that it was also common for attackers to target system backups too, and to threaten to attack again if attempts are made to recover systems, causing further delays.

Jake Moore, global cybersecurity adviser at Eset, said the incident was a “complex, deep rooted problem”.

“The intricacies of a ransomware attack are nearly impossible to predict and often things can change dynamically even once it looks like everything is back on track,” he said.

“The nature of restoration can be incredibly slow whilst untangling how far back the system will need to be recovered.

“Senior figures and IT experts will be under an enormous amount of pressure to work around the clock to restore functionality. Not only will there be efforts needed to bring it back online but there will be further testing required and areas will naturally be needed to be patched.

“Cybercriminals will also be monitoring the successes of getting the company back to business. But rebuilding infrastructure and preventing further damage takes time and the last thing M&S need is a further attack as soon as it is restored.”