The chairman of Marks & Spencer has told MPs the company is “still in the rebuild mode” following a cyber attack which led to empty shelves and limited online operations for months.
Speaking publicly for the first time since the attack, Archie Norman declined to answer whether the business had paid a ransom.
“It’s a business decision, it’s a principal decision,” he told members of the Business and Trade Committee (BTC).
“The question you have to ask is – and I think all businesses should ask – is, when they look at the demand, what are they getting for it?
“Because once your systems are compromised and you’re going to have to rebuild anyway, maybe they’ve got exfiltrated data that you don’t want to publish. Maybe there’s something there, but in our case, substantially the damage had been done.”
Money blog: 10 happiest and unhappiest professions for shift workers
When asked again later in the BTC evidence session, Mr Norman said, “We’re not discussing any of the details of our interaction with the threat actor, including this subject, but that subject is fully shared with the NCA [National Crime Agency].”
What happened?
The initial entry into M&S’s systems took place on 17 April through “sophisticated impersonation” that involved a third party, Mr Norman said.
It was two days later, on Easter Saturday, before the company became aware of the attack, and approximately a week after the intrusion, before the retailer heard directly from the attacker.
A day later, after learning of the attack, the authorities were notified, while customers were told on Tuesday, MPs heard.
As well as British authorities, the US FBI was contacted, who are “more muscled up in this zone” and were “very supportive”, Mr Norman said.
By the time the breach is clear, systems have already been compromised, the chairman said.
The group behind the attack may have been Scattered Spider, some of whom are believed to be English-speaking teenagers, but Mr Norman said M&S made an early decision that no one from the company would deal directly with the so-called “threat actor”.
“Anybody who’s suffered an event like ours, it would be foolish to say there’s not a thousand things you’d like to have done differently,” he added.
Advice for businesses
In a warning to other businesses, M&S’s general counsel and company secretary Nick Folland said firms should be prepared to operate without IT systems.
“One of the things that we would say to others is make sure you can run your business on pen and paper,” he said.
Awareness and planning for the threats of cybersecurity meant M&S had trebled the number of people working on cybersecurity to 80and doubled its expenditure.
“We curiously doubled our insurance cover last year”, Mr Norman added.
This breaking news story is being updated and more details will be published shortly.
Please refresh the page for the fullest version.
You can receive breaking news alerts on a smartphone or tablet via the Sky News app. You can also follow us on WhatsApp and subscribe to our YouTube channel to keep up with the latest news.
