Spar store delivery truck lorry

Symbol groups have been told to “wake up” to flaws in their online security, as independent Spar stores reported losses totalling hundreds of thousands of pounds following a cyberattack.

More than a week after Spar wholesaler James Hall & Co was first hit by a ‘ransomware’ cyber attack on 5 December, stores supplied by the firm reported stock ordering and sales systems were still offline.

betterRetailing understands many of the 300 stores affected remained closed, unable to take card payments or are operating on restricted trading hours as of 14 December.

One affected Spar retailer told betterRetailing: “It’s a total disaster. I’m not sure I’ll be fully functional for Christmas.

“I’ve lost tens of thousands of pounds-worth of sales and James Hall have been poor at communicating. I can’t make any fresh orders and my tills are still offline.”

Spar signs sponsorship deal supporting Burnley FC’s charity work

Another Spar retailer added automatic stock forecasting over the key Christmas period would now be unreliable, creating waste and availability challenges for retailers.

A James Hall spokesperson said it is “now able to start bringing affected stores back online” as an absolute priority, but did not confirm whether independent stores would be compensated for losses.

Experts warned that underinvestment and a lack of cyber security knowledge within the convenience industry meant similar attacks on other symbol groups and wholesalers were likely.

Cyber security expert Jason Finch has worked with a number of leading wholesalers. He told betterRetailing: “Cyberattacks are bad news for the retailers, but the entire sector is a sitting duck. This will continue to happen until the sector wakes up – not just the retailers and their distributors, but the tech companies supplying them.

“Microsoft does not support the older operating systems used on many EPoS, so it’s impossible for these older systems to be patched at all.”

One senior wholesale expert added symbol groups and wholesalers refuse to improve their online security as they view it as an “unnecessary expense”.

Of 10 independent convenience retailers spoken to by betterRetailing last week, 60% believed their hardware provided by symbol groups and EPoS companies was not receiving the necessary security updates.

EXCLUSIVE: Spar Scotland warns of price hikes in ‘tricky’ 2022

One retailer said: “My EPoS is running on Windows 7, which Microsoft stopped supporting in 2020. I’ve had no updates provided for it at all in the past four years.”

Advising on how stores can protect themselves, one store owner added: “Get a hard drive and back everything up from your tills. You can get software which does this every hour for you and the whole setup costs an average of £100 per store.”

Responding to the incidents at Spar, Nisa warned its partnered stores to regularly install security updates for their EPoS and computer systems, be wary of suspicious emails – especially those with links, attachments or macros within attachments, to back up important files on offline drives and to use cloudbased services that allow users to revert to previous file versions.