Marks & Spencer will be over the worst of its devastating cyber attack by August, chief executive officer Stuart Machin told shareholders as the British retailer faces questions over whether the incident could have been prevented.
The April attack on M&S forced the group to close its online store for nearly seven weeks and led to empty shelves at shops during May as automated stock systems were shut down. The incident has cost the company an estimated £300 million in lost profits this year.
"I'm really hoping by August, the majority of this is behind us," Machin said at the company's annual general meeting on Tuesday, the first opportunity for shareholders to publicly question the company about the attack and its consequences.
The cyber attack, which has been linked to hacking group Scattered Spider, disrupted contactless payments and click-and-collect services. It also led to a data breach involving staff information, though M&S said no sensitive details such as passwords or home addresses were accessed.
Chairman Archie Norman acknowledged that there was always something that could be done to prevent such attacks and said M&S continued to examine the incident. Machin emphasised that the company had quadrupled investment in cyber security and trebled the number of colleagues working on protecting its systems over the 12 months before the attack.
"I'm glad we invested then. I'm glad we continue to invest," he said.
M&S's online shop is still only partially open but is expected to be fully restored within the next four weeks, Machin confirmed. The company had previously warned that there would be disruption to online services until July. Internal systems including automation at its Castle Donington logistics warehouse are expected to be back up and running by August.
The retailer began reopening its online store last month, with a selection of fashion and homeware available for delivery to England, Scotland and Wales. However, services including click-and-collect remain unavailable, and customers in Northern Ireland and the Republic of Ireland are still waiting for online services to resume.
One investor questioned whether Machin's bonus should be cut because the cyber attack happened under his watch. The chief executive officer's total pay package in the company's past financial year jumped 39 per cent to £7.1 million. Norman said the group's philosophy was to adjust incentive pay to reflect shareholder rewards but it was too early to say how that might look this year.
"The financial effect of this will be taken into account with regards to incentive pay, but it's too early to say," Norman told shareholders.
Machin said the focus now was on recovery and strengthening training to help staff guard against the type of social engineering that allowed hackers into M&S systems via a third-party contractor.
The attack is just one of several recent cyber incidents affecting major retailers, with Co-op also temporarily shutting down parts of its IT infrastructure earlier this year following a similar attack.
Recent Stories