UK companies should have to disclose major cyberattacks, M&S says
Giving evidence to lawmakers on parliament's Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said the group had learnt that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC).
"In fact we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said.
Norman said that meant there was "a big deficit" in knowledge in the cybersecurity space.
"So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC."
Norman declined to say if M&S had paid any ransom but said that subject was "fully shared" with the National Crime Agency and other authorities.
He said "loosely aligned parties" worked together on the M&S cyberattack.
"We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia."
A hacking collective known as Scattered Spider that deploys ransomware from DragonForce has previously been blamed in the media for the attack.
"When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn't happen," said Norman.
He said M&S didn't hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a "social engineering" operation.
In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit.
Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process.
M&S resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services.
Last week, M&S CEO Stuart Machin told investors the group would be over the worst of the fallout from the attack by August.
Nick Folland, M&S' General Counsel, told the lawmakers a major lesson from the crisis for businesses generally was to make sure they can operate with pen and paper.
"That's what you need to be able to do for a period of time whilst all of your systems are down," he said.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Fashion Network
4 hours ago
- Fashion Network
UK companies should have to disclose major cyberattacks, M&S says
British businesses should be legally required to report material cyberattacks to the authorities, the chairman of retailer Marks & Spencer said on Tuesday, claiming two recent major attacks on large UK firms had gone unreported. Giving evidence to lawmakers on parliament's Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said the group had learnt that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC). "In fact we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said. Norman said that meant there was "a big deficit" in knowledge in the cybersecurity space. "So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC." Norman declined to say if M&S had paid any ransom but said that subject was "fully shared" with the National Crime Agency and other authorities. He said "loosely aligned parties" worked together on the M&S cyberattack. "We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia." A hacking collective known as Scattered Spider that deploys ransomware from DragonForce has previously been blamed in the media for the attack. "When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn't happen," said Norman. He said M&S didn't hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a "social engineering" operation. In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit. Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process. M&S resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services. Last week, M&S CEO Stuart Machin told investors the group would be over the worst of the fallout from the attack by August. Nick Folland, M&S' General Counsel, told the lawmakers a major lesson from the crisis for businesses generally was to make sure they can operate with pen and paper. "That's what you need to be able to do for a period of time whilst all of your systems are down," he said.
Fashion Network
9 hours ago
- Fashion Network
John Lewis beats M&S in customer satisfaction ranking
The retailer was forced to take its website down for weeks with M&S admitting the attack would hit profits by around £300 million this year. Meanwhile, John Lewis has been been making progress with turnaround efforts and has continued to expand its third-party fashion offer at pace. The company's contrasting fortunes come as John Lewis benefits from a turnaround strategy led by Jason Tarry, the former Tesco executive who was appointed last year as the partnership's chairman. Peter Ruis, who was also made executive director of John Lewis last year is hailed for bringing back the 'Never Knowingly Undersold' price pledge last September. On Tuesday, Ruis told The Daily Telegraph that John Lewis was 'honoured' to top the UK Customer Satisfaction Index, adding: 'The customer service offered by our expert partners has been at the heart of our brand for 160 years. 'Our customers appreciate our investments in quality products, value and service with more people shopping with us and millions benefitting from our 'Never Knowingly Undersold' price promise.' Last week, M&S chief executive Stuart Machin said the company needed 'to just get back, get our product back online, get the stores in even better shape… I've been in stores every weekend, and we're okay, but we're not as good as we should be.'
Fashion Network
9 hours ago
- Fashion Network
John Lewis beats M&S in customer satisfaction ranking
has topped its retail fashion rival M&S in the long-running Customer Satisfaction Index ranking, bolstered by the return of its 'Never Knowingly Undersold' pledge. In the latest bi-annual survey (published in June and January) and based on around 60,000 responses, John Lewis scored 86.7 out of 100 while M&S scored 85.6. M&S's failure to take the summer top spot also comes after its website had been crippled by a cyber attack that began in April. It had been top in January after a run of 18 years on the leader board. The retailer was forced to take its website down for weeks with M&S admitting the attack would hit profits by around £300 million this year. Meanwhile, John Lewis has been been making progress with turnaround efforts and has continued to expand its third-party fashion offer at pace. The company's contrasting fortunes come as John Lewis benefits from a turnaround strategy led by Jason Tarry, the former Tesco executive who was appointed last year as the partnership's chairman. Peter Ruis, who was also made executive director of John Lewis last year is hailed for bringing back the 'Never Knowingly Undersold' price pledge last September. On Tuesday, Ruis told The Daily Telegraph that John Lewis was 'honoured' to top the UK Customer Satisfaction Index, adding: 'The customer service offered by our expert partners has been at the heart of our brand for 160 years. 'Our customers appreciate our investments in quality products, value and service with more people shopping with us and millions benefitting from our 'Never Knowingly Undersold' price promise.' Last week, M&S chief executive Stuart Machin said the company needed 'to just get back, get our product back online, get the stores in even better shape… I've been in stores every weekend, and we're okay, but we're not as good as we should be.'
