Why is the M&S cyber attack chaos taking so long to resolve?

It's now been more than a week of chaos for Marks and Spencer (M&S), one of the UK's biggest brands, following what - it is now obvious - is a significant cyber attack.

It has cost it millions of pounds in lost sales and a lower share price.

M&S has not said what or who knocked out its online ordering systems, paused deliveries and left empty shelves in stores.

The BBC has been told by security experts that a ransomware group called DragonForce was behind the attack.

But that still leaves lots of unanswered questions. Starting with, why is this taking so long to resolve?

Many non-cyber related technical glitches are relatively quick fixes. An outage caused by a faulty software or server update, or even user error, can often be resolved in a matter of hours.

But trying to find and stop malware sweeping through systems and causing havoc on the scale of those operated by a large nationwide retailer like M&S, is not a quick job says Professor Alan Woodward, a cybersecurity expert from Surrey University.

"Everything from knowing what has been sold, hence what needs replenishing, to taking card payments is very dependent on complex systems… it will take significant time and expertise to analyse and ensure they have expelled the hacker," he said.

Lisa Forte, partner at cyber security firm Red Goat, agrees.

"They are handling the disruption in a mature way but to expect any company to get anything back online in a week is never going to happen," she says.

"I don't know one organisation that could do it."

A lot is also riding on the nature of the threat. The longer a cyber incident goes on, the more likely it is to be ransomware, say multiple cybersecurity experts.

"I would suggest there is a high level of confidence this is a ransomware style event," says Dan Card, cyber expert at BCS, the chartered institute for IT.

"I describe these as like a digital bomb has gone off. So recovering from them is often both technically and logistically challenging… the victim organisation is likely going to be working around the clock to respond and recover."

Ransomware is a particularly nasty strain of virus, in which the owner of a computer or network of computers is locked out, their data scrambled, and the attackers demand a fee, usually in cryptocurrency, to restore it.

Official advice is not to pay. You are, after all, putting your trust in criminals to be true to their word.

But it is often impossible to restore compromised services without the hackers' key – meaning the only way around it is to either use back-ups or install new systems and start again.

M&S will not comment, and no attacker has yet gone public with any demands – although this doesn't always happen, it is often a way for cyber criminals to pile more pressure onto their victims.

DragonForce, the cyber criminal gang we were told on Tuesday was likely to be behind the attack, allow other hackers to use their malicious software for attacks providing they get a cut.

As to who those hackers might be: fingers are pointing at a rather fluid network of individuals called Scattered Spider (it also has other aliases).

It was behind the attack on the MGM Las Vegas hotels in 2023.

The website Bleeping Computer cites "multiple sources" suggesting they are responsible and says some of them are teenagers.

Rik Ferguson, special advisor to Europol's European Cyber Crime Centre, says the sources of speculation about the group's involvement seem credible but adds that he has seen no conclusive evidence so far.

I asked him whether M&S customers should be concerned about their personal information: the firm itself currently says no action is required.

"Only M&S are able to tell us whether customers should be worried about their personal data," he said.

"In the absence of certainty, it would certainly be advisable for M&S customers, particularly those who may have reused their M&S account credentials on other web services, to begin changing those passwords elsewhere."