Cyber attack on M&S involved ‘sophisticated impersonation’ whilst deflecting from the real issue

The chairman of Marks & Spencer has told MPs the company is still in “rebuild mode” – and will be for “some time to come” – following a cyber attack which led to empty shelves and limited online operations for months.

Speaking publicly for the first time since the attack, Archie Norman declined to answer whether the business had paid a ransom.

“It’s a business decision, it’s a principal decision,” he told members of the Business and Trade Committee (BTC).

Is this a false flag for deeper problems at M&S?

“The question you have to ask is – and I think all businesses should ask – is, when they look at the demand, what are they getting for it?

“Because once your systems are compromised and you’re going to have to rebuild anyway, maybe they’ve got exfiltrated data that you don’t want to publish. Maybe there’s something there, but in our case, substantially the damage had been done.”

When asked again later, Mr Norman said: “We’re not discussing any of the details of our interaction with the threat actor, including this subject, but that subject is fully shared with the NCA [National Crime Agency].”

He added: “We don’t think it’s in the public interest to go into that subject on it, because it is a matter of law enforcement.”

The initial entry into M&S’s systems took place on 17 April through “sophisticated impersonation” that involved a third party, Mr Norman said.

It was two days later, on Easter Saturday, before the company became aware of the attack, and approximately a week after the intrusion before the retailer heard directly from the attacker.