UK retail brands have taken a digital battering over the past few months. Over 10 days in April and early May, Marks and Spencer (M&S), the Co-operative Group and Harrods were hit by cyber attacks that crippled their business-critical services, including ecommerce and payments processing. Then, in June, H&M suffered an IT outage, which briefly took its in-store payments systems offline.
Although the cause of the H&M outage has not been announced, some observers speculate that hackers are to blame. Indeed, DragonForce, a new purveyor of ransomware-as-a-service, is thought to be behind some of the most impactful attacks.
Cyber attacks can be detrimental to the bottom line. According to data from Dynatrace, an IT-analytics firm, and FreedomPay, a payments platform, companies can bleed millions of pounds within minutes if their payment or retail services are impacted by an attack. The report found that victims could lose up to £73m of revenue per minute in the first 10 minutes of their payments systems going offline.
Attack victims are at risk of reputational damage, too, especially if they have failed to establish robust business-resilience procedures. Any disruptions to online or in-store services could motivate customers to take their business elsewhere.
Retailers are attractive targets for cybercriminals because they have very large organisational footprints and plenty of customer data.
Quarter of businesses suffered cyber attack over past year
More than a quarter of organisations in the UK have suffered a cyber attack over the past 12 months, up by 16% from the previous year, according to new data from the Royal Institution of Chartered Surveyors (RICS).
A survey by the organisation found that 27% of facilities managers, service providers and consultancies had suffered such an attack. Meanwhile, 73% of business leaders expected disruption from cyber incidents over the next two years.
The group warns that insecure physical footprints may be partially to blame for the uptick in cyber attacks. Paul Bagust, who is the head of the property practice at RICS, warned in the Guardian: “Buildings are no longer just bricks and mortar. They have evolved into smart, interconnected digital environments embracing increasingly sophisticated and ever-evolving technologies.”
Embedding digital systems in physical locations comes with a high level of risk, increasing the attack surface that must be protected against any interlopers.
That is especially risky for retailers with brick-and-mortar stores because their buildings are open to the public. Attackers can quite casually scope potential ways into networks – say, unguarded network sockets. RICS pointed to building-management systems, internet-of-things devices, access control systems, CCTV networks and even ventilation and air condition systems as potential entry points.
Below are some of the retailers that have suffered cyber incidents or major IT outages in the UK this year.
Adidas
Adidas reported a data breach in May after cybercriminals accessed customer information through one of its third-party customer-service providers.
The incident affected customers who had contacted the company’s help desk. Although no payment information or passwords were leaked, the attackers managed to steal customer names and contact details. Adidas’s day to day operations were not impacted.
Harrods
On 1 May, Harrods disclosed that it had been hit by a cyber attack, making it the third major retailer after M&S and the Co-op to be targeted in a 10-day digital crime spree.
The luxury department store said attackers had attempted to gain unauthorised access to its systems. Its security teams promptly restricted internal IT systems and paused internet access in its stores as a precaution.
Thankfully, its operations were largely unaffected – its physical stores remained open and the retailer continued to process online orders as usual. The company found no evidence of customer data being compromised.
H&M
Speculation is mounting that a major IT outage at H&M in early June was the result of a cyber attack. The incident briefly affected the fashion retailer’s payments systems, leaving customers unable to pay for goods in stores across the UK. In some locations, the disruption persisted for two hours. H&M apologised to customers but has not confirmed what caused the outage.
Marks and Spencer
M&S was struck by a significant ransomware attack over the Easter weekend and is still dealing with the impacts over two months later. The attack caused all online orders to be suspended and also prevented the retailer from accepting contactless payments in its stores.
Although the attackers gained access to customer information, M&S maintains that payment details and passwords were not compromised. At the time of writing, some online ordering and delivery services have been restored but others remain unavailable.
The incident, which caused M&S to lose £300m in market value, has been described as the most financially damaging cyber attack ever suffered by any UK retailer.
The Co-operative Group
The Co-operative Group, which is owned by its members and runs more than 2,000 supermarkets across the UK, fell victim to a cyber attack in April, disrupting IT systems and leading to empty shelves at many of its stores.
Initially, the retailer reported that no data had been stolen, but later confirmed that criminals did indeed obtain member data, including names and contact information.
The Co-op shut down parts of its IT systems as a precautionary measure, which led to significant disruption in the short term but may have prevented hackers from deploying ransomware and causing even greater damage.
UK retail brands have taken a digital battering over the past few months. Over 10 days in April and early May, Marks and Spencer (M&S), the Co-operative Group and Harrods were hit by cyber attacks that crippled their business-critical services, including ecommerce and payments processing. Then, in June, H&M suffered an IT outage, which briefly took its in-store payments systems offline.
Although the cause of the H&M outage has not been announced, some observers speculate that hackers are to blame. Indeed, DragonForce, a new purveyor of ransomware-as-a-service, is thought to be behind some of the most impactful attacks.
Cyber attacks can be detrimental to the bottom line. According to data from Dynatrace, an IT-analytics firm, and FreedomPay, a payments platform, companies can bleed millions of pounds within minutes if their payment or retail services are impacted by an attack. The report found that victims could lose up to £73m of revenue per minute in the first 10 minutes of their payments systems going offline.
