Archie Norman, the chair of Marks & Spencer, has told MPs that UK businesses should be legally required to report major cyber-attacks, claiming two hacks involving “large British companies” had gone unreported in recent months. Giving evidence to the business and trade subcommittee on economic security, arms and export controls, Norman said M&S was still in “rebuild mode” after a ransomware attack forced it to close its online store for almost seven weeks.
Norman described the attack, which began on 17 April and was detected two days later, as “traumatic” and “like an out of body experience”. He confirmed that ransomware specialists DragonForce were involved, with the attack also linked to the hacking collective Scattered Spider. The retailer’s key online clothing distribution centre in Castle Donington, Leicestershire, remains offline.
Norman suggested mandatory reporting to the National Cyber Security Centre (NCSC) was “a very interesting idea”, noting that “it is apparent to us quite a large number of serious cyber-attacks never get reported”. He declined to comment on whether M&S had paid a ransom, saying it was “a matter of law enforcement”, but added that any business paying a ransom should consider what they would get in return.
M&S general counsel Nick Folland advised other businesses to “make sure you can run your business on pen and paper because that is what you need to do” when a serious attack hits. However, Rob Elsey, chief digital information officer for the Co-op Group, disagreed, saying the concept of relying on paper was “unsustainable”. The Co-op, which was hit by a separate hack days after M&S, is looking at setting up segregated “alternative provided systems” to keep operating digitally after future attacks.
