In a previous post, we outlined how the Marks & Spencer app shutdown occurred during an apparent backend ransomware attack. The takeaway was clear: mobile apps can become massive collateral damage during backend breaches. The cost? Substantial.
The specific details were unavailable until recently. Now they are. And they’re quite high.
It’s reported that analysts from Bank of America calculated that each week of website downtime leads to a £26 million reduction in clothing and home sales for the business. The cost for its app downtime should be similar but was not cited in the report and could have been rolled up into the website figure. A weekly loss of £17 million due to decreased in-store food sales because of contactless payment issues and product availability leads to a total of £43 million of weekly financial hemorrhaging.
That adds up fast. By the middle of this month, M&S entered its fourth week of ongoing digital disruption. The company currently faces a potential reduction of £172 million in annual revenue. And the same Bank of America analysts said they expect a potential reduction in operating profit by 7%.
The entirety of these consequences happened because of one ransomware attack. And it can’t be overemphasized that these specific “impact” figures are often not readily available. The unfortunate situation M&S experienced has revealed the severe financial damage and operational fragility that arise from shutting down digital channels. And let’s be clear: this wasn’t just a website going down. A retailer experienced its digital presence nearly vanishing in a single night.
The numbers don’t stop there. The company’s stock lost 15% of its value at a time when the FTSE 100 index experienced a 3% rise. Shareholders saw a market value reduction exceeding half a billion pounds. When app users found themselves unable to place orders or track their shipments, they encountered black screen messages along with some assurances.
The confirmed theft of customer data on May 13 only worsened the scenario. The hackers collected customers’ names along with their addresses, phone numbers, birth dates, and order histories. The breach could even enable social engineering scams to thrive because passwords and payment data could potentially be obtained. And customers? The official message read, “No action needed.” However, shaking customer trust proves difficult to restore through simple password authentication.
The suppliers have also been impacted by recent events, and some of them have resorted to using pen and paper. The M&S website removed its job postings from public access.
And it didn’t seem that there was a clearly defined roadmap.
The numbers are out—and they’re a warning. Cybersecurity isn’t just about preventing hacks. The key aspect of cybersecurity involves maintaining your business’s operational capacity even during attacks. Uncertainty in modern times extends beyond mere inconvenience. It’s expensive. Very expensive, at times.
Commentary
The Numbers Are Out: M&S Illustrates What Silence Really Costs
Table of Contents
In a previous post, we outlined how the Marks & Spencer app shutdown occurred during an apparent backend ransomware attack. The takeaway was clear: mobile apps can become massive collateral damage during backend breaches. The cost? Substantial.
The specific details were unavailable until recently. Now they are. And they’re quite high.
The cost of app downtime is heavy
It’s reported that analysts from Bank of America calculated that each week of website downtime leads to a £26 million reduction in clothing and home sales for the business. The cost for its app downtime should be similar but was not cited in the report and could have been rolled up into the website figure. A weekly loss of £17 million due to decreased in-store food sales because of contactless payment issues and product availability leads to a total of £43 million of weekly financial hemorrhaging.
That adds up fast. By the middle of this month, M&S entered its fourth week of ongoing digital disruption. The company currently faces a potential reduction of £172 million in annual revenue. And the same Bank of America analysts said they expect a potential reduction in operating profit by 7%.
The entirety of these consequences happened because of one ransomware attack. And it can’t be overemphasized that these specific “impact” figures are often not readily available. The unfortunate situation M&S experienced has revealed the severe financial damage and operational fragility that arise from shutting down digital channels. And let’s be clear: this wasn’t just a website going down. A retailer experienced its digital presence nearly vanishing in a single night.
The numbers don’t stop there. The company’s stock lost 15% of its value at a time when the FTSE 100 index experienced a 3% rise. Shareholders saw a market value reduction exceeding half a billion pounds. When app users found themselves unable to place orders or track their shipments, they encountered black screen messages along with some assurances.
The confirmed theft of customer data on May 13 only worsened the scenario. The hackers collected customers’ names along with their addresses, phone numbers, birth dates, and order histories. The breach could even enable social engineering scams to thrive because passwords and payment data could potentially be obtained. And customers? The official message read, “No action needed.” However, shaking customer trust proves difficult to restore through simple password authentication.
The suppliers have also been impacted by recent events, and some of them have resorted to using pen and paper. The M&S website removed its job postings from public access.
And it didn’t seem that there was a clearly defined roadmap.
The numbers are out—and they’re a warning. Cybersecurity isn’t just about preventing hacks. The key aspect of cybersecurity involves maintaining your business’s operational capacity even during attacks. Uncertainty in modern times extends beyond mere inconvenience. It’s expensive. Very expensive, at times.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats