When M&S has spent six weeks in the news following a crippling cyberattack, many were surprised to see M&S boss Stuart Machin’s pay package increase to £7.1 million for the year. The increase, more than £2 million more than the previous year, comes when some estimates suggest that the cyberattack will cost the company more than £300 million in lost profits.
Putting aside the moral question of whether anyone is worth £7.1 million — how many packs of Percy Pigs can one man buy, especially when he can get them at a staff discount — the immediate question is exactly how a pay packet the size is justified for the boss of a company still reeling from an attack?
What does the pay actually cover?
The superficial answer is that Machin has been the beneficiary of good timing. His pay award was based on company performance when their systems were functioning as intended.
In fact, by far the largest element of the package — £4.5 million — is the share award and a reflection of the company’s growth over the year. A further £1.6 million was his bonus, with the remainder his basic salary and pension contributions.
It’s difficult to argue that M&S has not improved since he joined as the managing director of its food division in 2018. Previously a quintessentially British retailer, its clothing was considered unfashionable, while its position as a quality food retailer was threatened by the low prices and premium lines of major supermarkets. Recently, it has begun the transformation of its stores and started a partnership with Ocado that immediately made it a major player in the grocery delivery sector.
As such, there is a case that Machin deserves a pay rise and a pat on the back, knowing that next year’s performance review might not be quite as positive.
Brushing the cyberattack under the carpet?
However, there are some signs that M&S are not considering the cyberattack as relevant to the pay issue. The BBC reported that the company’s remuneration committee had considered the cyberattack, but decided that ‘no adjustments were needed’.
In its annual report, the company chairman suggested that the attack would be seen as a ‘bump in the road’. Given that the attack is likely to affect their operations for more than three months, saw their customer data stolen, as well as costing them millions, it feels like a pretty big bump.
Additionally, as more details have come to light, there also seems to have been some finger pointing. Although no official comment has been made, Tata Consultancy Services (TCS), who provides IT services for M&S and other retailers, has been named as investigating the breach. The latest update, again, unconfirmed by M&S, is that the ransomware demand came from an internal M&S address allocated to a TCS employee. DragonForce and Scattered Spider are understood to be behind the breach, and their methods of using social engineering to gain initial access would suggest TCS was a likely attack vector.
What next?
M&S shoppers will be pleased that, as it currently stands, the cyberattack will not prove fatal for the retailer. However, it may cause concern for other retailers who may not feel able to survive an attack of that scale, especially if those behind it are emboldened by its success.
Existing and past customers may also be concerned about their data. Although M&S have said there is no evidence that stolen data has been shared, that statement carried an implied ‘yet’. For those who have shared payment details, or even re-used passwords, with M&S there is no security in relying on the continued goodwill of criminals.
And Machin himself may be pondering what he should do. While there is no suggestion that he is directly responsible for the attack, there are questions to be asked about why M&S was so badly affected. The Co-op, who also use TCS, was attacked at the same time, but responded rapidly, identifying and containing the attack, so disruption was minimised and recovery was quick. Since the danger of cybercrime is hardly novel, questions about the ultimate responsibility for failure to contain the M&S attack are not unreasonable.
Indeed, Machin himself has form for taking that sort of responsibility, resigning from an Australian food chain because of accounting irregularities, of which he was unaware, that ‘happened on my watch.’ But whether he goes, takes a pay-cut, or decides that he’s being paid to clean up the mess, the M&S attack is certain to be a case-study in cybersecurity for a long time to come.
