M&S Chair Details Ransomware Attack, Declines to Confirm if Payment Was Made
During a recent hearing at the UK Parliament on July 8, Marks & Spencer (M&S) chairman Archie Norman revealed that the retailer's systems were attacked in April by ransomware operators using DragonForce infrastructure. The attack, which has been linked to the Scattered Spider hacking collective, left M&S with significant damages and disruptions to its operations.
Norman described the experience as "like nothing I've ever experienced in my years working in business and retail." He acknowledged that dealing with a ransomware attack is an unprecedented challenge, particularly when it involves a sophisticated social engineering attack involving a third party. The attack occurred through compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm.
The M&S chairman confirmed that the attackers gained access to the retailer's networks through a "sophisticated" social engineering attack, which was carried out by the Scattered Spider hacking collective using DragonForce ransomware infrastructure. Norman noted that this tied into reports that Scattered Spider leveraged compromised credentials from TCS to infiltrate M&S.
In oral evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls Committee hearing, Norman declined to confirm whether a payment was made to the threat actors. He stated that making such a payment is a "business decision" and emphasized that retailers must carefully evaluate the costs and benefits of paying ransom demands.
"The question you have to ask is when you get a demand, what are you getting for it? Because once your systems are compromised you have to rebuild anyway. Maybe they've exfiltrated data you don't want published, but in our case, substantially the damage had been done," Norman said.
Attack Timeline and Communication
Norman revealed that M&S was not contacted by the threat actor until around a week after initial access was achieved on April 17. A decision was made by the retailer to not directly communicate with the attackers, instead relying on professional intermediaries to do so.
"It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people allegedly attacking our business," Norman explained.
Impact and Response
The attack had significant impacts on M&S, including heavily affecting areas such as online shopping. To prevent further lateral movement, large swathes of M&S systems were shut down, which has put a strain on the retailer's ability to bring them back up securely.
"Part of the reason the attack has been so business impairing for us is that we closed down the systems as part of the defense," Norman admitted. "We have a very wide attack surface – we have 50,000 people, colleagues in the stores, contractors working for us, some outsourced in India, who are working on our systems."
M&S' Response and Recommendations
Norman expressed support for mandatory reporting for "material" cybersecurity incidents. He noted that he is aware of a large number of serious attacks that do not get reported in the UK.
"In fact, we have reason to believe that two major cyber-attacks on two large British companies in the last four months have gone unreported," said Norman. "We think that's a big deficit in our knowledge."