‘They wanted $4m’: Lessons for M&S from other cyber attacks

As Marks & Spencer – and its customers – continue to reel from a major cyber attack, other people who have gone through similar experiences have been sharing what it is like to be targeted by hackers.

“It was an absolute nightmare,” says Sir Dan Moynihan. He runs the Harris Federation, a group of 55 schools in the London and Essex area.

Sir Dan told the BBC how they were hacked four years ago by the Russian ransomware crime group REvil.

“Their purpose was to blackmail us into paying $4m (£3m) in cryptocurrency within ten days,” he said.

“If we didn’t pay in 10 days, they wanted eight million.”

The hack caused chaos. The finances of the school group were hit, with staff and bills left unpaid.

Sir Dan said the group lost teaching materials, lesson plans and registration systems.

More importantly, they also lost medical records and even the fire and phone systems were affected.

M&S has also been targeted with ransomware – malicious software which locks an owner out of their computer or network and scrambles their data.

The criminals then demand a fee to unlock it. Sir Dan says it was a demand he resisted.

Instead, the school group approached a firm of cyber specialists who employed a hostage negotiator. That individual then took on the role of an inexperienced school bursar – an administrator – who pretended to not know what was going on.

They took up negotiations with the hackers, with the purpose of delaying them for as long as possible so the school group could rebuild its systems.

Speaking to BBC Radio 4’s Today programme, he said: “The Russians had stolen data from us – they didn’t tell us what – and they threatened to put this stuff up on the dark web and cause us great embarrassment, and secondly they would lock down our systems.”

Sir Dan, who is the senior executive principal and chief executive of the Harris Federation, said it took the group three months to get everything working again, at the cost of £750,000. Among the work was 30,000 devices that needed to be “cleaned” following the hack.

Was there ever a question of giving the criminals what they wanted? Never, said the school group boss.

“The money we have is for disadvantaged young people, and secondly had we paid we would have opened the door for other school groups to be attacked.”

It is not known whether similar scenes are playing out behind the scenes at M&S, as the company has only issued limited information in its official statements, and has not put anyone up for interview.

But people claiming to work for the retailer have given a sense of the chaos on social media.

On Reddit, users who identified themselves as M&S workers, something the BBC has not verified, described the impact of the cyber attack.

One wrote that most internal systems had been affected and that there had been experiments with “resuming operations manually with paper and pen”.

Another poster said head office staff were working weekends, and that the problems were “like going back in time”.

While some reported shortfalls in goods coming in, others described oversupply of some items, which meant food went to waste.

What is clear is other companies are watching what’s happening closely, even more so since another retailer, the Co-op, shut down some of its IT systems this week in response to a separate cyber attack.

“We’re patching like mad,” is what one retailer told the BBC.

In other words, they are making sure every part of system has the most up-to-date software and protections.

Sir Charlie Mayfield, the former chairman of John Lewis, said other firms understood only too well how vulnerable they were.

“Online shopping has completely transformed retail – as technology becomes more pervasive, the risk of this kind of attack rises with it,” he told the BBC.

According to the cyber security breaches survey, conducted by the UK government, 74% of large businesses said they were targeted with cyber attacks last year.

The experience of being hacked can be a difficult one for individuals caught in the disruption.

Wedding dress designer Catherine Deane said it was “devastating” when her company’s Instagram account was hacked.

“It felt like the rug had been pulled from under us. Instagram is our primary social platform, and we’ve invested the most amount of time and business resources into it.

“To keep the account current we post content every day. Suddenly all this work… it was just pulled.”

She told the BBC last month of the difficulty of fixing the problem with Meta, the owner of Instagram, describing that experience as “almost traumatising”.

In June last year, staff at hospitals in London told of how they were left grappling with the aftermath of a cyber attack that led to many hours of extra work for their staff.

A critical incident was declared after the ransomware attack targeted the services provided by pathology firm Synnovis.

Services including blood transfusions were severely disrupted at Guy’s and St Thomas’ Hospital and King’s College Hospital (KCH).

Dr Anneliese Rigby, a consultant anaesthetist at KCH, told the BBC at the time: “So what the labs are having to do is receive the blood sample, manually process that, which is a long, time-consuming process requiring a lot of staff which we don’t have so we’re having to get extra people to help with that.”

It seems likely there will still be many difficult days ahead for M&S.

Additional reporting by Zoe Kleinman, Chris Vallance, Joe Tidy and Tom Gerken