Marks & Spencer store front

Source: Marks & Spencer

M&S’s chairman Archie Norman has declined to directly answer whether or not the retailer paid cyberattackers a ransom, when asked the question by MPs.

Norman and Co-op group secretary and general counsel Dominic Kendal-Ward appeared before a sub-committee of the Business and Trade Select Committee on Tuesday, in an inquiry into threats to the nation’s economic security and in the wake of high-profile attacks on the two retailers.

Asked whether M&S had paid a ransom, Norman said: “I think that’s a business decision and it’s a principle decision. The question you have to ask – and I think all businesses should ask – is, when they look at the demand, what are they getting for it?

“Because once your systems are compromised and you’re going to have to rebuild anyway – maybe they have exfiltrated data you don’t want to publish, maybe there’s something there – but in our case, substantially the damage had been done.”

Asked the question a second time, Norman said: “We’ve said that we are not discussing any of the details of our interaction with the threat actor, including that subject. But that subject is fully shared with the NCA [National Crime Agency] and the relevant authorities.

“There are number of reasons for that. One is we don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement. And just to be quite clear, we think it’s a matter of live law enforcement and we want to give people the best possible chance of pursuing that action.

“Secondly, part of what the threat actor is looking for is publicity. We can’t avoid them getting publicity because they’re communicating directly through the BBC et cetera. We want to make sure we limit the amount of oxygen they have.”

Committee chair Liam Byrne had invited Norman to be “circumspect where you need to be circumspect” in view of the live investigation into the attack.  

Co-op’s Kendal-Ward gave a more definitive answer to the same question. “We did not pay a ransom,” he said. “We did not contemplate or at any point discuss paying a ransom and in fact we didn’t engage at any point with the criminal attackers through the process.”

M&S admits it ‘could have done more’

Norman also acknowledged M&S could have done more to protect itself from cyberattack, though he argued the same was true of any business. 

“[For] any business that’s suffered a cyberattack to turn around and say ‘We put sufficient emphasis on cyber risk’ would be a hard claim to make.” he said.

“Do we wish we’d spent more, done more? Of course we do. Would it have prevented the attack? Not necessarily, but that’s not a reason for not doing it.

“So I don’t want to sit here and say we did everything possible because I don’t believe that’s the case. I don’t think that’s the case for any business.

“Did we accelerate the level of intensity of attention, the focus on it, the resources allocated to it? Absolutely.”

He said M&S had trebled the number of people working on cybersecurity at the retailer over the last three years and doubled expenditure. 

M&S and Co-op were hit by cyberattacks within days of each other in late April, as was Harrods.

M&S is still rebuilding its systems, with online clothing sales expected to be fully restored by August. The retailer is expecting to take a £300m hit to profits this year as a result. It resumed online orders of some clothing ranges in June.

Co-op moved to a “recovery phase” in May, having suffered severe availability issues during the attack. 

Norman and Kendal-Ward were appearing before the committee to help inform recommendations on the nation’s economic security.  

Norman said media reports that M&S’s legacy systems had left the “back door open” to cyberattackers were “all horlicks”.

“We have 50,000 people, colleagues in the stores, contractors, working for us, some maybe outsourced in India, who are working on our systems. So the attack surface is enormous, and the attacker only has to be lucky once, with one of those 50,000,” he said. 

He said the instigator of attack was “believed to be Dragonforce, who are a ransomware operation, based we believe in Asia”, working through an intermediary, which got in using social engineering. 

He said the social engineering took the form of “sophisticated impersonation”, adding: “Part of the point of entry in our case also involved a third party.”

Norman said it became evident attackers were in M&S’s systems in the “late afternoon” of 19 April, three days before the retailer publicised the attack.

He said the disruption that followed the attack “was like an out-of-body experience and I think it’s fair to say everybody at M&S experienced it”. 

“For a week the cyber team had no sleep, three hours a night.”

On the attackers gaining initial entry, he said: “When this happens, you don’t know who the attacker is. They never send you a letter signed Scattered Spider. That doesn’t happen.

“And in fact we didn’t even hear from the threat actors for appoximately a week after they penetrated our systems.”

Norman said M&S would “still be in a form of rebuilding in months to come”, and that each week of not trading online had cost roughly £10m in lost profit. 

“We are now up and running online but we are back to where we should be and our big automated centre in Castle Donington comes back online hopefully imminently.

“So it’s a long, slow process back. And some of the background systems which hopefully you won’t see, we will be working one in October or November to bring back or replace.

“Once you’ve had one cyberattack you’re more likely to have another, partly because you attract attention to this [hacking] community and people can see what happened.” he added. “So we want to make ourselves as resilient as possible for the future and that means the way you bring things back has to be highly protected.”

Kendal-Ward told the committee ciminals launched a “sophisticated cyberattack on Co-op group in April” using “a variety of methods to access systems and data”.

“Within hours we had detected those, we had set up our continity processes, and in doing so managed to prevent deployment of ransomware and any serious damage to either our systems or members,” he said.

He added: “We know that member information limited to names and addresses and contact details and date of birth were copied by cyberattackers when they were in our systems for such a short period of time. It’s important that we say for that we are very sorry to our members and we feel their concerns deeply.”