Marks & Spencer Believes DragonForce Behind Ransomware Attack, Says Chairman
UK companies should have to disclose major cyberattacks, says Archie Norman, chairman of Marks & Spencer. In a recent testimony to lawmakers on parliament's Business and Trade Committee, Norman revealed that his company was targeted by a ransomware attack in April, which forced the retailer to suspend online shopping for nearly seven weeks.
Norman claimed that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC). He further stated that there were two major cyberattacks on large British companies in the last four months that went unreported, highlighting a significant deficit in knowledge in the cybersecurity space.
Regulatory Requirements for Cyberattacks
Norman proposed a regulatory requirement for UK companies to report material cyberattacks to the authorities within a certain time limit. He argued that this would help address the lack of transparency and knowledge about cyberattacks, allowing businesses to better prepare and respond to such incidents.
"So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC," Norman said. He emphasized that this measure would help improve cybersecurity practices among businesses and reduce the risk of future attacks.
The M&S Ransomware Attack
Marks & Spencer was targeted by a ransomware attack on April 17, which compromised its systems through a "social engineering" operation. The company did not receive notification from the threat actor until about a week after the initial breach.
Norman revealed that M&S had reason to believe that DragonForce, a ransomware operation based in Asia, was involved in the attack. He also mentioned that Scattered Spider, a hacking collective known for deploying ransomware from DragonForce, had previously been blamed for similar attacks.
Cost of the Attack
The M&S ransomware attack is estimated to have cost the company around £300 million ($409 million) in lost operating profit. Norman praised his company's cyberattack insurance coverage, which doubled last year and helped mitigate some of the financial impact.
Lessons Learned from the Crisis
Nick Folland, M&S' General Counsel, shared a key lesson learned from the crisis: the importance of having a backup plan, such as operating with pen and paper. He emphasized that this would allow businesses to continue functioning even when their digital systems are down.
Restoration of Services
Marks & Spencer resumed taking online orders for clothing lines on June 10 after a 46-day suspension. However, the company is still working to restore its click and collect services.
Predictions for Recovery
The M&S CEO, Stuart Machin, predicted that the worst of the fallout from the attack would be over by August. While this marks an optimistic outlook, it remains to be seen how long it will take for the company to fully recover from the cyberattack.