The group is the UK’s biggest clothing retailer, accounting for a third of underwear sales alongside food and homewares. 

It also operates 16 stores across Ireland. 

M&S growth in Ireland 

Last year, M&S sales in Ireland rose 2.4% to €377m delivering an operating profit of €32.8m. But the company has now been forced to stop taking online orders for more than a week, with little hope of rebooting them in the short term. Stores are struggling to keep shelves full with automated stock systems offline and at one point this week staff were manually checking fridge temperatures owing to concerns about digital monitoring systems.

As the chief executive, Stuart Machin, urged shoppers to head into M&S stores over the weekend, industry insiders have suggested it could take weeks to get the retailer’s website back online and perhaps months before all systems are running – suggesting a big hit to short-term profits and service.

One source said: “It’s going to take some time but each day that passes they get more systems up.” 

After days of disruption, contactless payments and gift cards are now being accepted, refunds are possible and returns are being processed in clothing and homeware stores. It is also possible to pick up online orders made before 23 April. The Sparks loyalty scheme remains disrupted.

Systems issues since Easter

M&S first reported problems at Easter, when it stopped taking click-and-collect orders and its contactless payments were affected. While those have restarted, problems continue across the business: it had to pause deliveries of some packaged food items to Ocado, the online grocery specialist it co-owns.

The UK police and its National Crime Agency are investigating a cyberattack, which has been linked to a hacking collective known as Scattered Spider.

Meanwhile, with automated systems down, staff must physically check what is available in store stockrooms and are unable to tell customers if items they want are available in nearby stores.

'The amount of waste is immense'

Staff say on online forums that they were forced to fill several bins with food waste last week as donations to charity were briefly disrupted. The IT problems had caused difficulties in making price reductions to clear food that is not selling. “The amount of waste is immense,” one staff member posted. It is understood food donations have now restarted.

Emphasising the scale of the problems, one member of staff posted earlier this week that “it’s easier to list the things that work than the things that don’t”, as first reported by The Grocer trade journal.

M&S clothing and home sales online are worth about £3.8m (€4.5m) on an average day, underlining why the retailer was “working day and night” to fix the issues, according to Machin.

Fears about the potential impact on the business have now wiped almost £750m off the value of the retailer since the Easter bank holiday. The share price fell again on Friday.

Analysts at Deutsche Bank estimate the attack has already sliced £30m off M&S’s annual profits and will continue to hit the retailer by £15m a week. A big chunk of the initial £30m is likely to be covered by insurance, but that is time-limited, so that the longer the problems persist, the more costly they will be for the retailer.

No evidence of customer data leaks

Adam Cochrane, a retail analyst at DB, said there was no evidence of any customer data being hacked and “combined with a very robust consumer feeling towards M&S (including social media reports of consumers diverting their spend towards M&S as a show of solidarity), we see no long-lasting damage to the brand.” “M&S is firmly on the right track, in our view, and we see the shares bouncing back when the incident is resolved,” Cochrane said in a note.

Rival businesses are urgently reviewing their tech security systems amid fears that they could be next after hits on the Co-op and Harrods emerged in recent days.

Scattered Spider’s alleged involvement has not been confirmed and there is no public evidence that the trio of retail attacks was carried out by the same assailant.

Toby Lewis, head of threat analysis at cybersecurity firm Darktrace, said coincidence could not be ruled out. However, Scattered Spider had a record of gaining access to one supplier through its supply chain then reusing that technique and access to attack other retailers using the same supplier. He said: 

“If Scattered Spider are behind the M&S attack, it’s likely we’re seeing them opportunistically reuse their access on other retailers.

According to the same report that attributed the attack to Scattered Spider, the attackers used malicious software called DragonForce – developed by a “cartel” with the same name – to cripple M&S systems under a ransomware-for-hire arrangement. The BBC reported on Friday that a group naming itself DragonForce had claimed responsibility for the three attacks and had obtained the personal data of Co-op members, although Scattered Spider members could ultimately be deploying the malware.

Normally, evidence of M&S data being stolen would then appear on DragonForce’s website, a service offered to hackers as part of the “ransomware as a service” arrangement. However, the site was not working as of Friday afternoon after a dispute with a rival ransomware group.

The attackers may not contact M&S directly but normally leave a ransomware note on the victim’s IT system. Hackers often prefer to conduct communications via Tox, an encrypted messaging service, according to the cybersecurity firm Secureworks.

Ransomware gangs are known to put examples of stolen data on a “leak site” in a bid to gain leverage over their victim, although in the case of the M&S attacker this could be difficult.

This is unlikely to stop the M&S attackers from attempting to open negotiations, according to Aiden Sinnott, a security researcher at Secureworks.

Sinnott said the situation was probably at the negotiation stage, where the hacker attempts to secure a “ransom” paid in cryptocurrency to reinstate encrypted files or return stolen data. Negotiations are often carried out by specialist professionals brought in for that purpose.

“It’s not always about negotiating a price,” said Sinnott. “The main aim can be buying time: allowing your incident response team to recover as much of the system as possible.”

For M&S, every day costs millions more pounds in lost sales.

• The Guardian