Marks & Spencer's Cyber Attack: The Traumatic Experience of Being Hacked

Marks & Spencer's chairman, Archie Norman, has revealed that the company's recent cyber attack was believed to be instigated by hacking group Scattered Spider and a ransomware operation called DragonForce. The attack, which began in late April, left M&S unable to take online orders for over six weeks.

The traumatic experience of being hacked had a profound impact on Norman and the entire M&S team. He described it as "not an overstatement to describe it as traumatic" and added that the ordeal was "like an out-of-body experience". Norman, who has extensive experience working in the corporate world, said he had not experienced anything quite like this before.

"It's fair to say that everybody at M&S experienced it, like our ordinary shop colleagues working in ways they hadn't worked for 30 years, working extra hours just to try and keep the show on the road," Norman said. "For a week probably the cyber team had no sleep, or three hours a night."

Talking about the nature of the attack, Norman revealed that the hackers "never send you a letter signed Scattered Spider, that doesn't happen". He also mentioned that the attackers were working through intermediaries and that there was an instigator, believed to be DragonForce, who are a ransomware operation based in Asia.

"So you've got loosely aligned parties working together," Norman explained. "We took an early decision that nobody at M&S would deal with the threat actor directly – we felt the right thing was to leave this to the professionals who have experience in the matter."

The chairman also revealed that the so-called "threat actors" chose to communicate with the media and were in contact with the BBC following the hack. However, Norman stressed that he would not talk about the nature of the discussions that had taken place with the hackers.

The Cost of the Attack: A £300 Million Hit

M&S estimates that the attack will cost around £300 million in lost profits, but expects to recover up to half through cost management, insurance, and other measures.

"It's a significant hit," Norman said. "But we're still in the rebuild mode and will be for some time to come."

A Lesson Learned: Should Businesses Pay Ransom?

When asked whether businesses have to pay the ransomware demand following an attack, Norman said: "No I don’t think you do. That’s a business decision… the question businesses have to ask is when they look at the demand, what are they getting from it?"

"Because once your systems are compromised and you’re going to have to rebuild it anyway, maybe they’ve exfiltrated data that you don’t want to publish, maybe there’s something there," Norman explained.

A Cautionary Tale: The Importance of Cyber Security

The recent cyber attack on M&S serves as a cautionary tale about the importance of cyber security. As Norman highlighted, no business is immune to these types of attacks, and it's essential for companies to have robust security measures in place.

"It's fair to say that everybody at M&S experienced it, like our ordinary shop colleagues working in ways they hadn't worked for 30 years, working extra hours just to try and keep the show on the road," Norman said. "For a week probably the cyber team had no sleep, or three hours a night."

The attack highlights the need for businesses to prioritize cyber security and take proactive measures to protect themselves from these types of threats.