M&S’s chairman Archie Norman has declined to directly answer whether or not M&S paid cyberattackers a ransom, when asked the question by MPs.
Norman and Co-op group secretary and general counsel Dominic Kendal-Ward appeared before a sub-committee of the Business and Trade Select Committee today, in an inquiry into threats to the nation’s economic security and in the wake of high-profile attacks on the two retailers.
Asked whether M&S had paid a ransom, Norman said: “I think that’s a business decision and it’s a principle decision. The question you have to ask – and I think all businesses should ask – is, when they look at the demand, what are they getting for it?
“Because once your systems are compromised and you’re going to have to rebuild anyway – maybe they have exfiltrated data you don’t want to publish, maybe there’s something there – but in our case, substantially the damage had been done.”
Asked the question a second time, Norman said: “We’ve said that we are not discussing any of the details of our interaction with the threat actor, including that subject. But that subject is fully shared with the NCA [National Crime Agency] and the relevant authorities.
“There are number of reasons for that. One is we don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement. And just to be quite clear, we think it’s a matter of live law enforcement and we want to give people the best possible chance of pursuing that action.
“Secondly, part of what the threat actor is looking for is publicity. We can’t avoid them getting publicity because they’re communicating directly through the BBC et cetera. We want to make sure we limit the amount of oxygen they have.”
Committee chair Liam Byrne had invited Norman to be “circumspect where you need to be circumspect” in view of the live investigation into the attack.
Co-op’s Kendal-Ward gave a more definitive answer to the same question. “We did not pay a ransom,” he said. “We did not contemplate or at any point discuss paying a ransom and in fact we didn’t engage at any point with the criminal attackers through the process.”
The two retailers were hit by cyberattacks within days of each other in late April, as was Harrods.
M&S is still rebuilding its systems, with online clothing sales expected to be fully restored by August. The retailer is expecting to take a £300m hit to profits this year as a result. It resumed online orders of some clothing ranges in June.
Co-op moved to a “recovery phase” in May, having suffered severe availability issues during the attack.
Norman and Kendal-Ward were appearing before the committee to help inform recommendations on the nation’s economic security.
Norman said it became evident attackers were in M&S’s systems in the “late afternoon” of 19 April, three days before the retailer publicised the incident.
He said the disruption that followed the attack “was like and out-of-body experience and I think it’s fair to say everybody at M&S experienced it”.
“For a week the cyber team had no sleep, three hours a night.”
On the attackers gaining initial entry, he said: “When this happens, you don’t know who the attacker is. They never send you a letter signed Scattered Spider. That doesn’t happen.
“And in fact we didn’t even hear from the threat actors for appoximately a week after they penetrated our systems.”
He said the instigator of attack was “believed to be Dragonforce, who are a ransomware operation, based we believe in Asia”, working through an intermediary, which got in using social engineering.
“We have 50,000 people, colleagues in the stores, contractors, working for us, some maybe outsourced in India, who are working on our systems. So the attack surface is enormous, and the attacker only has to be lucky once, with one of those 50,000.”
He said the social engineering took the form of a “sophisticated impersonation”.
“So part of the point of entry in our case also involved a third party.”
Norman said M&S would “still be in a form of rebuilding in months to come”, and that each week of not trading online had cost roughly £10m in lost profit.
“We are now up and running online but we are back to where we should be and our big automated centre in Castle Donington comes back online hopefully imminently.
“So it’s a long, slow process back. And some of the background systems which hopefully you won’t see, we will be working one in October or November to bring back or replace.
“Once you’ve had one cyberattack you’re more likely to have another, partly because you attract attention to this [hacking] community and people can see what happened.” he added. “So we want to make ourselves as resilient as possible for the future and that means the way you bring things back has to be highly protected.”
No comments yet