Cliff Notes – Cyber attack on M&S latest
- Marks & Spencer’s chairman, Archie Norman, stated the company remains in “rebuild mode” following a cyber attack that caused empty shelves and disrupted online operations for months.
- Norman declined to disclose if a ransom was paid, citing business confidentiality and law enforcement discussions with the National Crime Agency.
- M&S has increased its cybersecurity workforce and spending, anticipating a significant insurance claim linked to the £300m loss expected from the cyber incident.
Cyber attack on M&S involved ‘sophisticated impersonation’, chairman says | Money News
The chairman of Marks & Spencer has told MPs the company is still in “rebuild mode” – and will be for “some time to come” – following a cyber attack which led to empty shelves and limited online operations for months.
Speaking publicly for the first time since the attack, Archie Norman declined to answer whether the business had paid a ransom.
“It’s a business decision, it’s a principal decision,” he told members of the Business and Trade Committee (BTC).
Is this a false flag for deeper problems at M&S?
“The question you have to ask is – and I think all businesses should ask – is, when they look at the demand, what are they getting for it?
“Because once your systems are compromised and you’re going to have to rebuild anyway, maybe they’ve got exfiltrated data that you don’t want to publish. Maybe there’s something there, but in our case, substantially the damage had been done.”
When asked again later, Mr Norman said: “We’re not discussing any of the details of our interaction with the threat actor, including this subject, but that subject is fully shared with the NCA [National Crime Agency].”
He added: “We don’t think it’s in the public interest to go into that subject on it, because it is a matter of law enforcement.”
The initial entry into M&S’s systems took place on 17 April through “sophisticated impersonation” that involved a third party, Mr Norman said.
It was two days later, on Easter Saturday, before the company became aware of the attack, and approximately a week after the intrusion before the retailer heard directly from the attacker.