Why is the M&S cyber attack chaos taking so long to resolve?

It's now been more than a week of chaos for Marks and Spencer (M&S), one of the UK's biggest brands, following what - it is now obvious - is a significant cyber attack.

It's cost the retailer millions of pounds in lost sales and a lower share price.

M&S still isn't revealing exactly what or who knocked out its online ordering systems, paused deliveries, left empty shelves in stores, and resulted in limited access to internal platforms ("they're using pen and paper mate," one contact told me).

The firm is working with the National Cyber Security Centre, which will not comment on active investigations. The Information Commissioner's Office, the data protection regulator, says it is "making enquiries".

M&S maintains it has no details to share about the incident.

As time goes on, though, the chorus of unanswered questions grows louder. Starting with, why is this taking so long?

Many non-cyber related technical glitches are relatively quick fixes. An outage caused by a faulty software or server update, or even user error, can often be resolved in a matter of hours.

But trying to find and stop malware sweeping through systems and causing havoc on the scale of those operated by a large nationwide retailer like M&S, is not a quick job says Professor Alan Woodward, a cybersecurity expert from Surrey University.

"Everything from knowing what has been sold, hence what needs replenishing, to taking card payments is very dependent on complex systems… it will take significant time and expertise to analyse and ensure they have expelled the hacker," he said.

Lisa Forte, partner at cyber security firm Red Goat, agrees.

"They are handling the disruption in a mature way but to expect any company to get anything back online in a week is never going to happen," she says.

"I don't know one organisation that could do it."

A lot is also riding on the nature of the threat. The longer a cyber incident goes on, the more likely it is to be ransomware, say multiple cybersecurity experts.

"I would suggest there is a high level of confidence this is a ransomware style event," says Dan Card, cyber expert at BCS, the chartered institute for IT.

"I describe these as like a digital bomb has gone off. So recovering from them is often both technically and logistically challenging… the victim organisation is likely going to be working around the clock to respond and recover."

Ransomware is a particularly nasty strain of virus, in which the owner of a computer or network of computers is locked out, their data scrambled, and the attackers demand a fee, usually in cryptocurrency, to restore it.

Official advice is not to pay. You are, after all, putting your trust in criminals to be true to their word.

But it is often impossible to restore compromised services without the hackers' key – meaning the only way around it is to either use back-ups or install new systems and start again.

M&S will not comment, and no attacker has yet gone public with any demands – although this doesn't always happen, it is often a way for cyber criminals to pile more pressure onto their victims.

As to who those hackers might be: fingers are pointing at a rather fluid network of individuals called Scattered Spider (it also has other aliases).

It was behind the attack on the MGM Las Vegas hotels in 2023.

The website Bleeping Computer cites "multiple sources" suggesting they are responsible and says some of them are teenagers.

Rik Ferguson, special advisor to Europol's European Cyber Crime Centre, says the sources of speculation about the group's involvement seem credible but adds that he has seen no conclusive evidence so far.

I asked him whether M&S customers should be concerned about their personal information: the firm itself currently says no action is required.

"Only M&S are able to tell us whether customers should be worried about their personal data," he said.

"In the absence of certainty, it would certainly be advisable for M&S customers, particularly those who may have reused their M&S account credentials on other web services, to begin changing those passwords elsewhere."