UK companies should have to disclose major cyberattacks, M&S says
Giving evidence to lawmakers on parliament's Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said the group had learnt that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC).
"In fact we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said.
Norman said that meant there was "a big deficit" in knowledge in the cybersecurity space.
"So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC."
Norman declined to say if M&S had paid any ransom but said that subject was "fully shared" with the National Crime Agency and other authorities.
He said "loosely aligned parties" worked together on the M&S cyberattack.
"We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia."
A hacking collective known as Scattered Spider that deploys ransomware from DragonForce has previously been blamed in the media for the attack.
"When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn't happen," said Norman.
He said M&S didn't hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a "social engineering" operation.
In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit.
Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process.
M&S resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services.
Last week, M&S CEO Stuart Machin told investors the group would be over the worst of the fallout from the attack by August.
Nick Folland, M&S' General Counsel, told the lawmakers a major lesson from the crisis for businesses generally was to make sure they can operate with pen and paper.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNA
2 hours ago
- CNA
UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks
LONDON :Four people have been arrested as part of a police investigation into cyberattacks that disrupted the operations of retailers Marks & Spencer, the Co-op and Harrods, Britain's National Crime Agency said. The cyberattack on M&S was the most serious, costing it about 300 million pounds ($409 million) in lost operating profit. The NCA said two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands, central England, and London on Thursday on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group. The NCA said all four were arrested at their home addresses and had their electronic devices seized for digital forensic analysis.
Straits Times
2 hours ago
- Straits Times
Air India crash: Indian investigators told lawmakers black boxes undamaged, say sources
Sign up now: Get ST's newsletters delivered to your inbox Members of Indian Army's engineering arm prepare to remove the wreckage of an Air India aircraft, bound for London's Gatwick Airport, which crashed during take-off from an airport in Ahmedabad, India on June 14, 2025. NEW DELHI - Indian investigators of the deadly Air India airliner crash that killed 260 in June told a meeting of lawmakers that the plane's black boxes were not damaged, two people familiar with the discussions said. The revelation about the devices critical to reconstructing the events leading up to an air crash, comes after Indian media said they were damaged when the London-bound Boeing Dreamliner crashed on June 12, to erupt in a massive fireball. The Aircraft Accident Investigation Bureau has also been able to extract "good data" from the black boxes, its officials told lawmakers on July 9 during a parliamentary panel meeting on aviation, added one of the sources. Both sources declined to be identified as the discussions are private. The AAIB and India's aviation ministry did not respond to Reuters queries. The plane's cockpit voice recorder (CVR) and flight data recorder (FDR), as the black boxes are formally known, were recovered in the days after the crash, one from a rooftop at the site on June 13, and the other from debris on June 16. The preliminary report from investigation into the crash is likely to be made public by July 11, Reuters has previously reported. The crash investigation had narrowed its focus to the movement of the plane's fuel control switches, and also focused, at least partly, on engine thrust issues, Reuters reported last month. Air India has faced intense scrutiny since the crash. Its chief executive, Campbell Wilson, appeared before the committee and the airline gave updates on its efforts after the crash, one of the sources said. The EU Aviation Safety Agency has said it plans to investigate the company's budget airline, Air India Express, after Reuters reported it did not follow a directive to change engine parts of an Airbus A320 in a timely manner and falsified records to show compliance. India's aviation watchdog has also warned Air India for breaching rules for flying three Airbus planes with overdue checks on escape slides. REUTERS
Straits Times
2 hours ago
- Straits Times
Indian investigators told lawmakers black boxes undamaged in Air India crash, sources say
Sign up now: Get ST's newsletters delivered to your inbox FILE PHOTO: Members of Indian Army's engineering arm prepare to remove the wreckage of an Air India aircraft, bound for London's Gatwick Airport, which crashed during take-off from an airport in Ahmedabad, India June 14, 2025. REUTERS/Amit Dave/File Photo NEW DELHI - Indian investigators of the deadly Air India airliner crash that killed 260 last month told a meeting of lawmakers that the plane's black boxes were not damaged, two people familiar with the discussions said. The revelation about the devices critical to reconstructing the events leading up to an air crash, comes after Indian media said they were damaged when the London-bound Boeing Dreamliner crashed on June 12, to erupt in a massive fireball. The Aircraft Accident Investigation Bureau has also been able to extract "good data" from the black boxes, its officials told lawmakers on Wednesday during a parliamentary panel meeting on aviation, added one of the sources. Both sources declined to be identified as the discussions are private. The AAIB and India's aviation ministry did not respond to Reuters queries. The plane's cockpit voice recorder (CVR) and flight data recorder (FDR), as the black boxes are formally known, were recovered in the days after the crash, one from a rooftop at the site on June 13, and the other from debris on June 16. The preliminary report from investigation into the crash is likely to be made public by Friday, Reuters has previously reported. The crash investigation had narrowed its focus to the movement of the plane's fuel control switches, and also focused, at least partly, on engine thrust issues, Reuters reported last month. Air India has faced intense scrutiny since the crash. Its chief executive, Campbell Wilson, appeared before the committee and the airline gave updates on its efforts after the crash, one of the sources said. The EU Aviation Safety Agency has said it plans to investigate the company's budget airline, Air India Express, after Reuters reported it did not follow a directive to change engine parts of an Airbus A320 in a timely manner and falsified records to show compliance. India's aviation watchdog has also warned Air India for breaching rules for flying three Airbus planes with overdue checks on escape slides. REUTERS
