M&S Chairman Silent on Ransom Payment Details
▼ Summary
– M&S chairman Archie Norman confirmed the April cyberattack was ransomware-related but did not disclose if a ransom was paid, calling it a “business decision.”
– The attack, linked to the Scattered Spider group using DragonForce ransomware, was described as unprecedented and aimed at disrupting M&S’s business operations.
– M&S avoided direct communication with the attackers, relying on intermediaries, and noted demands were often relayed through media like the BBC.
– The breach occurred via a sophisticated social engineering attack involving a third party, likely using compromised credentials from Tata Consultancy Services (TCS).
– Norman advocated for mandatory reporting of major cyber incidents, revealing that many serious attacks in the UK go unreported.
Marks & Spencer’s chairman has confirmed a ransomware attack targeted the retailer’s systems earlier this year, though he remained tight-lipped about whether the company paid hackers to resolve the incident. Archie Norman shared these details during a UK parliamentary hearing, describing the cyberattack as an unprecedented challenge during his long career in retail.
The breach, attributed to the Scattered Spider hacking group using DragonForce ransomware, disrupted operations significantly. Norman emphasized the unusual nature of the attack, stating that criminals attempted to halt customer transactions, an aggressive move aimed at destabilizing the business. While he acknowledged the involvement of DragonForce and loosely affiliated actors, he sidestepped questions about whether M&S complied with ransom demands, calling it a complex business decision.
Communication with the hackers was indirect, handled through professional intermediaries rather than direct engagement. Norman revealed that demands often surfaced unexpectedly, sometimes through media outlets like the BBC. The attackers gained access via a sophisticated social engineering scheme, exploiting third-party vulnerabilities. Reports suggest compromised credentials from Tata Consultancy Services (TCS) played a role in the breach.
M&S faced additional challenges due to its legacy IT systems, making network segmentation difficult. To contain the attack, the retailer had to shut down large portions of its infrastructure, severely impacting online services. Recovery efforts remain ongoing.
In contrast, the Co-op, which experienced a similar attack shortly after M&S, managed to limit damage through strong system segmentation. Their digital chief confirmed that while member data was accessed, the breach was contained to names, addresses, and birthdates. Both companies later collaborated with the National Cyber Security Centre (NCSC) to share intelligence.
Norman also raised concerns about underreported cyber incidents, advocating for mandatory disclosure of major breaches. He hinted at two significant but undisclosed attacks on UK firms in recent months, stressing the need for greater transparency in cybersecurity threats.
The hearing underscored the growing sophistication of ransomware groups and the critical need for businesses to strengthen defenses, particularly when relying on third-party vendors. As cybercriminals refine their tactics, companies must balance rapid response with strategic decision-making, especially when faced with ransom demands.
(Source: InfoSecurity Magazine)
