Cyber attack on M&S involved 'sophisticated impersonation', chairman says

The chairman of Marks & Spencer has told MPs the company is still in "rebuild mode" - and will be for "some time to come" - following a cyber attack which led to empty shelves and limited online operations for months.

Speaking publicly for the first time since the attack, Archie Norman declined to answer whether the business had paid a ransom.

"It's a business decision, it's a principal decision," he told members of the Business and Trade Committee (BTC).

"The question you have to ask is - and I think all businesses should ask - is, when they look at the demand, what are they getting for it?

"Because once your systems are compromised and you're going to have to rebuild anyway, maybe they've got exfiltrated data that you don't want to publish. Maybe there's something there, but in our case, substantially the damage had been done."

When asked again later, Mr Norman said: "We're not discussing any of the details of our interaction with the threat actor, including this subject, but that subject is fully shared with the NCA [National Crime Agency]."

He added: "We don't think it's in the public interest to go into that subject on it, because it is a matter of law enforcement."

The initial entry into M&S's systems took place on 17 April through "sophisticated impersonation" that involved a third party, Mr Norman said.

It was two days later, on Easter Saturday, before the company became aware of the attack, and approximately a week after the intrusion before the retailer heard directly from the attacker.

A day later, after learning of the attack, the authorities were notified, while customers were told on Tuesday 22 April, MPs heard.

As well as British authorities, the FBI was contacted, which is "more muscled up in this zone" and was "very supportive", Mr Norman said.

By the time the breach is clear, systems have already been compromised, the chairman said.

The group behind the attack may have been Scattered Spider, some of whom are believed to be English-speaking teenagers, but Mr Norman said M&S made an early decision that no one from the company would deal directly with the "threat actor".

"Anybody who's suffered an event like ours, it would be foolish to say there's not a thousand things you'd like to have done differently," he added.

'Make sure you can run business on pen and paper'

In a warning to other businesses, M&S's general counsel and company secretary Nick Folland said firms should be prepared to operate without IT systems.

"One of the things that we would say to others is make sure you can run your business on pen and paper," he said.

M&S has trebled the number of people working on cybersecurity to 80 and doubled its expenditure, the MPs heard.

"We curiously doubled our insurance cover last year," Mr Norman added.

Read more:
UK to miss deadline to agree steel and aluminium tariffs
'Disastrous' impact of Post Office scandal set out by inquiry

"Extensive" insurance cover means M&S expects to make an "unsurprisingly significant claim" and receive "substantial recovery", though the process of finding out how much will take about 18 months, the chairman said.

The £300m sum M&S said it expected to lose as a result of the cyber attack does not include money it expects to claim via insurance.

(c) Sky News 2025: Cyber attack on M&S involved 'sophisticated impersonation', chairman says