Why I won’t easily forgive M&S for its £300m cyber attack that put customer data at risk

Am I missing something with M&S? Hit by a devastating cyber-attack over the Easter weekend, the beloved retailer has endured fallout which can be seen all over its first half results.

You’ll probably have read that its profits have halved. That’s the company adjusted measure, which came in at £184.1m against £413.1m last time. What those adjusting items are is not well explained, but they do include £101.6m of “incident-related costs”. The statutory measure of profits, the one journalists used to quote as a matter of course, gives us pre-tax profits of just £3.4m. In other words, M&S saw its profits all but wiped out.

To be fair, sales held up remarkably well, at least as regards the M&S food business, which is given a lot of love and, crucially, runs on a different system than M&S’s other departments. It managed to record a gain of 7.8 per cent. The fashion, home and beauty part of the business wasn’t so cheerful, surrendering 16.4 per cent of last year’s sales number.

“We are now getting back on track,” Stewart Machin, the M&S CEO, declared in his statement. “It’s all to play for.”

Did that bit make you cringe a little? It did me. It made our Stew sound like a League One football manager praying for the playoffs after a rocky first half of the season.

“We are grateful to everyone who shops with us, and if you haven’t yet, please do,” he added.

Sorry, Stew, but no. I’m not renewing my supporter's pass, and I’m not planning to wave any of my payment cards in your direction. Not just yet. Have we forgotten what happened here? An update from the company after the cyberattack, which shuttered its online service and even left some brick-and-mortar shelves looking bare, warned that “some personal customer data has been taken”.

"The personal data could include contact details, date of birth and online order history,” we were told. Fortunately, this did not include “usable card or payment details” or any account passwords. But customers were nonetheless told that “you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious”.

My caution extends to treading very carefully when it comes to M&S until it has proved itself secure. There are some who would now accuse me of letting the hackers win, even of victim-blaming with this stance. Sorry, not sorry. It’s hard to see a big company like M&S as a victim. It’s a thumping big company that let the baddies in.

Despite this, it has so far banked £100m worth of insurance payments. You or I would probably be in a different situation if we succumbed to a phishing scam, which are getting increasingly sophisticated and are quite capable of fooling even smart, switched-on people if they get caught at the wrong time.

We were told the hack was not caused by a lack of investment but was rather the result of “human error”. Really, I don’t much care. It doesn’t matter to me how sneaky the hackers were or how many third-party systems they used to do their dirty work. A business with the resources of M&S ought to have systems good enough not to allow a slip-up that puts customers' data into the hands of crooks while blowing a £300m hole in its bottom line.

This sort of thing happens too often. Far too often. If at least some of your data is not out on the dark web by now, you’ve probably never shopped online. I’ve lost count of the number of times my password manager has warned me of a data leak, which has included my details.

I’ve never been caught by a phishing scam. But I know people who have. They, too, are a depressingly common occurrence. Small wonder. The internet is a free-for-all, in which our data is bought and sold by shady characters.

The City has pretty much forgiven M&S. Its shares are trading close to five-year highs. Its results were greeted warmly in many places.

“MKS's H1 results show a business with a lingering tail of cyberattack disruption, beyond that envisaged at FY results in May, but more consistent with recent messaging. Nevertheless, we still see value here as the business continues to recover, given a very attractive multiple,” said the broker Jeffries. Beauty, I suppose, is in the eye of the beholder.

Colour me sceptical. When a firm gets burned so badly, blames human error, and tells us that everything’s all good now, I’m afraid I want to see a bit more evidence.

I’m sick to the back teeth of running the risk of getting cyber mugged every time I want to buy a pair of pants. Aren’t you?