The retailer says the supply issues are linked to a cyber attack by a criminal gang - Neil Stevenson for The Telegraph
Marks & Spencer shoppers face empty shelves as the retailer grapples with the fallout from a crippling cyber attack that has lasted more than a week.
Customers complained of finding “completely empty” shelves in M&S food halls, with items including bananas, fish and Colin the Caterpillar cakes out of stock.
In one shop, The Telegraph saw signs displayed on hot food counters saying they were “temporarily closed.” It said: “Due to technical issues, we aren’t able to offer these products at the moment. We’re working hard to resolve the problem and will have these items back in stock as quickly as possible.”
When asked, staff claimed the supply issues were linked to a cyber attack by a criminal gang that began before Easter and has already forced M&S to stop online orders.
A spokesman for M&S said the decision to take some of its systems temporarily offline had resulted in “pockets of limited availability in some stores”, adding: “We are working hard to get availability back to normal across the estate.”
Empty shelves are the latest sign that the retailer is struggling to contain the fallout from the crippling cyber attack. On Monday, M&S customers were left unable to make online orders for a fourth day.
In a message on its website, M&S said the pause on orders was “part of our proactive management of a cyber incident”. The company has so far given no indication as to when the disruption will end.
Shoppers have been left increasingly frustrated. One writing on social media claimed they had driven an hour to an M&S store in Aberdeen, only to find many groceries missing. They said: “M&S needs to keep customers better informed.”
Another said large areas of shelves were empty in their local M&S food hall, adding: “Half the stuff I normally buy was gone.”
One customer wrote: “When will online orders resume? I go on holiday at the weekend and have been waiting to order some clothes for my children.”
Others shared memes with the slogan: “This is not just a cyber attack. This is an M&S cyber attack.”
Disrupted deliveries
The group has said it will refund orders placed by customers on Friday. Customers who want to collect orders placed online have been advised to wait until they receive an email to collect their purchases, although this could take longer than usual.
Staff claimed the stocking issues were down to disrupted store deliveries following the cyber attack, with some workers saying that they received much fewer pallets than normal, while others said their stores were being overloaded with stock.
On Monday, M&S told agency workers at one of its major distribution centres in the East Midlands not to come to work as the fallout from the incident escalates.
At the Castle Donington warehouse, which handles M&S clothing and homeware, about a fifth of workers are agency staff.
Shares in the company slumped by as much as 3pc on Monday in response to the ongoing disruption.
More than £500m has now been wiped off the value of M&S over the past week, with the stock price down by more than 6pc.
‘True cost’
Nicholas Found, from Retail Economics, said: “While the true cost will only be clear once the dust settles, it’s likely to be costing Marks & Spencer seven figures per day, as digital channels have been offline for a prolonged period. With a spell of good weather forecast this week, shoppers will be encouraged to buy summer outfits, but are unlikely to wait around.”
M&S has declined to comment on the nature of the cyber incident but The Telegraph understands it is a ransomware attack mounted by a criminal gang.
In these attacks, criminals infiltrate an IT system, freeze it and demand payment from companies before allowing them to gain control again.
While M&S has not commented on the gang behind the attack, cyber criminal groups are often given a safe haven in Russia, while others have operated out of Eastern Europe, Iran and China.
Oxford University’s Cybercrime Index ranked Russia as the number one source of criminal ransomware attacks, followed by Ukraine and China.
Targeting its online business will be extremely costly for M&S. More than 3m orders are placed online at M&S every month, of which about 2.2m are click-and-collect orders. It suggests that as many as 450,000 click-and-collect orders will be have been affected over the past week.
The company has set out a target to make half of its clothing sales online. In its last financial year, it sold £1.3bn worth of clothing and homeware online, accounting for around a third of the total sales in the departments.
Figures seen by The Telegraph from YouGov suggest that the attack has started to weigh on customers’ attitudes towards the retailer. M&S’s “buzz” score, which maps whether people are hearing positive or negative things about a brand, has fallen from 21 for its fashion business to 15.5 since April 21.
The retailer was the worst performer on the FTSE 100 on Monday despite a rally among its peers on London’s stock markets.
The decision to stop customers placing orders is the latest in a series of steps taken by M&S as it scrambles to respond to the cyber attack. The company last week switched off some IT systems that allowed its staff who work from home.
Customers claimed the chaos over the Easter weekend meant they had to leave full baskets at checkouts, while others said that they were being held in queues outside stores.
It is thought that the ransomware attackers are no longer in M&S’s systems and the company declined to comment on why it had taken the decision to block online orders.
