When will M&S take online orders again?

Original Article ↗ Hacker News Discussion ↗

E‑commerce as core competency vs something to outsource

  • Some argue pre‑internet retailers shouldn’t run their own tech stacks; they should focus on merchandising and customer experience, and outsource websites, logistics software, payroll, etc.
  • Others counter that for a retailer with large online revenue (M&S, Walmart‑scale), e‑commerce is core and should be built and deeply understood in‑house, provided it’s properly staffed and funded.
  • There’s recognition that “build it ourselves with 10 engineers” is often hubris: platforms like Shopify concentrate enormous engineering and SRE effort that most retailers cannot match.

Amazon, Shopify, and white‑label platforms

  • Past experiments with Amazon‑run storefronts (M&S, Borders, Target, Waterstones) are cited as cautionary: partnering with a direct competitor proved strategically bad.
  • Shopify is seen by some as the cleaner model (no direct retail conflict), but others question whether Shopify scales to multi‑billion‑pound, highly customized operations.
  • A common lament: executives underestimate the complexity of large‑scale e‑commerce (“it’s not a garage sale”).

Outsourcing to Tata and the India debate

  • Thread notes M&S’s major IT outsourcing to Tata Consultancy and speculates (not proven) that a third‑party helpdesk was the breach vector.
  • One side claims outsourcing to low‑cost providers inherently trades away quality and continuity; another calls this xenophobic and argues quality vs cost is about process and management, not nationality.
  • Counterexamples of both successful and failed Tata businesses are raised; overall impact on this incident remains unclear.

Why recovery can take months

  • Many are surprised a big retailer can’t stand up at least a minimal site in weeks (even via Shopify), but others describe:
    • Highly interconnected legacy systems (warehousing, inventory, accounting, logistics, payments, loyalty, banking products).
    • Need for full forensics and hardening; you can’t just redeploy untrusted code and data.
    • Possible ransomware scenarios where repos, backups, and failover copies are compromised.
    • Loss of institutional knowledge and chronic under‑investment in DR, automation, and tested backups.
  • Example given: British Library still not fully recovered a year after its own attack.

Leadership, incentives, and AI

  • Several comments blame executive short‑termism: aggressive IT cost‑cutting, heavy outsourcing, and weak attention to resilience until disaster hits.
  • Some contrast hype about “AI replacing developers/CEOs” with very basic organizational failures (backups, DR plans, staffing), arguing most AI talk is stock‑price theater rather than operational reality.

Broader context: UK tech capability

  • Some see this as part of a wider UK pattern: reliance on cheap consultancies, underpaying high‑end engineers, and rewarding financial “grift” over technical robustness.
  • Others note that parts of UK government digital services are exemplars of well‑run, accessible infrastructure, so national capacity clearly exists but is unevenly applied.