The Attack
As reported over the Easter break, the high-street brand confirmed that personal data belonging to its customers was stolen during the cyber-attack. The data stolen can clearly identify individuals, as it includes names, surnames, email addresses, home addresses, telephone numbers, dates of birth and even ‘masked’ card details. To date it appears that the data has not been shared or sold, however there is no guarantee that this will remain the case.
The attack was reportedly carried out using a service on the dark web called ‘DragonForce’. The service involves taking a copy of victims' data and scrambling it, then asking for a ransom to unscramble it and delete their copy of the data. This incident underscores the critical importance of robust cybersecurity measures for businesses, as the stolen data includes information which can identify Marks and Spencer’s customers, such as names, email addresses, home addresses, and more.
Lessons for Business Owners
As an increase in cyber-attacks targeting UK businesses has been observed over the past few weeks, business owners would do well to learn from this incident. The incident faced by Marks and Spencer serves as a stark reminder to business owners about the importance of prioritising cybersecurity.
Cyberattacks can have far-reaching consequences, affecting not just the immediate financial stability of a business but also the long-term reputation of a brand. Three weeks after the attack, M&S operations are still disrupted, with their online order services still not fully functional. The losses reported are significant, running into millions in lost sales per week. Businesses failing to invest in their cyber security capabilities can easily end up operating at limited capacity if hacked, and making significant losses in the aftermath of the hack.
For businesses, investing in robust cybersecurity measures should not be seen as an optional expense but as a critical component of their operational strategy. Businesses should regularly update their security protocols, conduct comprehensive risk assessments, and provide cybersecurity training for their employees. This proactive approach can help identify and mitigate vulnerabilities before they are exploited by cyber criminals.
Moreover, from a data protection perspective, businesses must have an effective incident response plan in place. This includes clear procedures for detecting data breaches, mitigating the effects of the attack, recovering stolen data and making the necessary data reports to authorities and notifications to customers. As observed in this case, timely reporting to relevant authorities and information to customers about protective measures can significantly reduce potential reputational damage. Marks and Spencer confirmed it reported the breach to the authorities and informed its customers of the situation, even recommending simple practices for customers to protect their accounts, such as changing their passwords and exercising caution if they receive suspicious emails.
How We Can Help
Our team of cybersecurity lawyers is equipped to provide comprehensive assistance in managing cyber incidents for businesses. Leveraging their expertise in cybersecurity and data protection, they ensure risks are mitigated and data is recovered promptly. Our lawyers can help run legal analysis to shed light on any current deficiencies which may prove costly in case of breaches.
Reach out to us to understand how we can help protect your business from cyber threats.
