It's Murder in the Malls

Recent high-profile cyberattacks in the United Kingdom targeting retailers including Harrods, Marks & Spencer and Co-op have thrown a spotlight on the importance of cybersecurity in the retail sector. These incidents have thrown a spotlight on the damage cybercriminals can inflict on a company’s reputation, operations, and financial standing. Reports have M&S dropping £700M in share value with analysts at Deutsche Bank estimating the continuing weekly trading impact at £15M. 

NCSC, the entity in UK entrusted with the civil security of the country, and Cabinet Office minister, Pat MacFadden, have predictably declared this a “wake up call” for every business in the UK. However, given the speed at which the Gulf region has embraced digital transformation, especially in the retail industry, the warning should be heard just as loud here.  

Harrods, the globally iconic luxury department store, confronted a data breach in which customer information, including email addresses, was compromised. This ransomware attack and the others on M&S and Co-op were carried out by a hacker group called Scattered Spiders. Harrods appears to be on top of the attack and while it has not declared the extent of the impact it has assured customers that its operations are continuing as normal. 

Marks & Spencer, a UK retail giant famous for food, clothing and home products, also fell victim to Scattered Spiders ransomware attack. Marks & Spencer first revealed the cyber attack on Monday, April 21, after customers reported payment issues and delays receiving online orders. While the store understandably played down the event assuring shoppers that Marks & Spencer remained open for business. However, M&S took its internet shop offline and a week later it has not resumed trading; there are tales of clothing shortages, food wastes and millions lost each day. It seems safe to conclude that M&S’s logistics and automated stock control systems are deeply impacted and clearly there are significant issues with the online shopping platform. 

While the cyber-attack itself is clearly materially negatively affecting the business the media, in their irresistible urge to hype every story they can find using all of the hyperboles in the book, have delighted in publishing pictures of empty shelves in shops, questioning whether the business can survive and dredging up the implausible alleged “insider claims’ from ‘M&S head office” that they didn’t have ‘any business continuity plan [for this], we didn’t have a cyber attack plan’. The impact of the media response on M&S’s reputation can’t be far behind the damage meted out by Scattered Spiders. 

Moving down the high street hierarchy, Co-op, a supermarket chain, fell victim to a ransomware attack apparently carried out by Dragonforce. This event led to the shutdown of essential operations, in particular the checkout systems interrupting business operations. However, in the case of Co-op the business has confirmed that up to 20m sets of customer data including names and contact details may have been accessed.  In contrast with M&S, the mechanics of the ransomware attack appears to have been focused on personal data capture as opposed to throwing an almighty spanner in the works of the operating systems. 

While the epicentre of this wave of high-profile retail attacks is the United Kingdom, Gulf-based retailers should take this as a call to arms. With many of the Gulf nations hitching their wagons to technology in general and AI specifically and with digital commerce as a hallmark of their diversification of economies, the retailers of Saudi Arabia, the United Arab Emirates, Qatar, Oman, Bahrain, and Kuwait make attractive targets for cybercriminals looking to exploit the dense flow of online payments, customer datasets and supply chain networks.

Another factor intensifying the discussion is the evolving regulatory environment. Governments across the Gulf are introducing and enforcing stricter laws on data protection and cybersecurity and backing that up with meaningful fines and other sanctions. Non-compliance with local regulations risks triggering investigations, potential fines and legal repercussions. Retailers must remain informed about new laws and adapt quickly to be compliant.

It is a decent assumption that the only people who are really well cyber secure are those who have just suffered a major incident but that surely is a case of bolting the stable door after the horse is well down the road. 

There are lessons for the retail and other sectors from the cyberattacks on Harrods, Marks & Spencer and Co-op. Of the three, Harrods appears to have got off very more lightly than the others - which is interesting given the threat actor seems to be the same as for Marks & Spencer.  The questions that spring to mind include: Did Harrods have better security and cyber controls? Were they better practised in the handling of cyber incidents? Did they have a better and more effective response plan that enabled them to isolate the incident and restore their operations? Why has the media rounded on Marks & Spencer – did Harrods have a better PR/Comms plan? 

With AI supercharging the cybercrime engine, now is a good time to take a cold hard look at your ability to deal with a major incident. Other than considering the mirror image AI supercharger for cyber defence, your best option lies in making sure the basics are in place and match fit.  This is largely made up of digital and physical security and making sure they are as good as you can live with; zealously patching and updating your systems; training the troops generally in cybersecurity and acutely for your cyber heroes and responder team; and practice – there were 1178 spaces in the lifeboats of the Titanic. Only 705 passengers filled those spaces despite the ship taking nearly three hours to sink. Practice, practice and practice some more.  

The Bird & Bird International cyberteam was set up in 2010 and has supported all manner of clients from across the globe in developing and implementing cyber resilience, getting to grips with cyber relevant regulation, advising on cyber insurance, providing 24/7 incident response and dealing with the aftermath of incidents. If you are looking for markedly practical guidance and support from a team that had been around the cyber block a significant number of times, we will be delighted to have a chat. Please reach out to Simon Shooter.