Food and beverage industry in shock following multiple cyber attacks

Food and beverage is reeling after two major supermarkets were hit by cyber attacks just days apart. Luxury retailer Harrods was also hit.

The attacks, believed to have been carried out by notorious hackers DragonForce, have disrupted supply chains leading to empty shelves in stores of both food and beverage retailers. Online and card payments were also frozen as cyber security experts fought to contain the attacks.

How did the attack happen?

The hackers were able to gain access to the retailers’ computer systems by impersonating employees and requesting password resets from the IT help desks, technology specialist site BleepingComputer has reported.

The UK’s National Cyber Security Centre, the government agency responsible for cyber security, has issued guidance to retailers, in the wake of the attacks. It’s urging all organisations to review their IT help desk ‘password reset processes’ to reduce the threat from hackers.

“We believe by following best practice, all companies and organisations can minimise the chances of falling victim to actors like this,” said NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse, in a joint statement.

Estimated cost

While the cost to the retailers is not yet know, and may never be fully understood, analysts at Deutsche Bank have estimated Marks and Spencer to have already lost around £30m (€35.3m) in profits and predicts further losses of around £15m per week until the issue is fully resolved.

Shares in M&S were down 4% on Tuesday 6 May, extending losses since it first disclosed the cyber incident on April 22 to 12%.

Loss of trust

In addition to the financial cost, Marks & Spencer and Co-op are facing a greater threat - the potential long-term loss of trust, as it’s revealed that hackers have stolen customer information from both stores.

Marks & Spencer statement:

“As we continue to manage the current cyber incident, we have written to customers to let them know that unfortunately the nature of the incident means some personal customer data has been taken. Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”

Co-op statement:

“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems. The accessed data included information relating to a significant number of our current and past members.”

This lack of trust could lead to customers closing accounts and choosing to shop elsewhere.

Wake-up call

The food and beverage industry has come under increasing criticism for not properly arming itself against the threat of cyber attacks, with industry experts describing defences as ‘weak’.

This was brought into sharp relief by an employee at Marks & Spencer’s head office, who told Sky News that the organisation, “didn’t have any business continuity plan” for a cyber attack.

Will this latest development be the much-needed catalyst for change?