Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

A suspected cyber attack has wiped almost £700mn off the value of Marks and Spencer, as the FTSE 100 retailer battles to restore its operations after almost a week of disruption.

M&S told some customers on Monday that it did not know how long it would take to restart online orders, after the incident forced it to stop accepting orders of clothing and homewares on Friday last week.

Meanwhile, about 200 agency staff at M&S’s main online distribution centre in Leicestershire were told to stay at home, as there were fewer orders to fulfil. M&S’s online sales of clothing and homeware amounted to £1.27bn last year, equating to an average of about £3.5mn a day.

M&S shares dropped more than 2 per cent on Monday morning, extending their decline to 7 per cent since last Tuesday, when it first disclosed its IT systems had been disrupted. M&S’s market value has dropped by £678mn in that time.

The retailer has struggled to process contactless payments and has paused click-and-collect orders in stores. Some stores are no longer accepting product returns.

The chaos threatens to disrupt a turnaround under chief executive Stuart Machin. The retailer, which reported adjusted pre-tax profit of £716.4mn last year, is expected to announce its full-year results on May 21.

Cyber security experts said the episode at M&S bears the hallmarks of a ransomware attack, whereby cybercriminals steal data from a company or lock its IT systems in exchange for cash. 

Andrew Northage, a partner at law firm Walker Morris, who has experience in cyber security law, said: “You can’t rule out that it’s something else but . . . it looks like a cyber attack”. He added that M&S will try to establish why they’ve been attacked and “what the bad actors are looking for — is it ransom? is it publicity?”

M&S is one of several retailers to suffer significant IT disruption of late. Christmas sales at supermarket chain Wm Morrisons were disrupted badly by a cyber attack last year, and both Currys and JD Sports have suffered attacks that breached customer data.

M&S told customers last week that “there was no need for them to take any action”, suggesting it believed their data was safe. The company declined to provide an update on the situation on Monday.

Kate Calvert, an analyst at Investec, said that while M&S customers would experience “a lot of short-term frustration”, the cyber attack would probably not harm the company’s brand in the long term.

However, Calvert added, competitors would profit from M&S’s problems in the meantime. “If you’re about to go on holiday, and you’re not getting [products] from M&S, you’ll buy them somewhere else”, she said.

M&S has reported itself to the Information Commissioner’s Office and is working with the National Cyber Security Centre to respond to the breach. All organisations have a duty to report breaches to the ICO within 72 hours of becoming aware of an incident.