Hackers tried to ‘destroy’ Marks & Spencer, chair tells MPs

Marks & Spencer’s chair has said the hackers behind April’s cyber attack were “trying to destroy” the business.

The retailer halted online orders and customers were faced with empty shelves in shops following the attack, which M&S has said will continue to affect customers until the end of this month.

M&S chair Archie Norman told MPs at a Business Select Committee the company believed hacker group DragonForce was responsible.

He said the group’s motives were “not entirely clear but [were] partly, undoubtedly, ransom or extortion”.

“It’s very rare to have a criminal actor from another – or in this country, we’re never quite sure – seeking to stop customers shopping at M&S, essentially trying to destroy your business for purposes which are not entirely clear but are partly, undoubtedly, ransom or extortion,” he said.

“It’s like an out of body experience.”

Mr Norman described the experience as “traumatic” and said “for a week probably, the cyber team had no sleep – three hours a night”.

He added that though customers will see the business running as normal by the end of July “background systems – that hopefully customers don’t see – we will still be working on October or November.”

M&S has predicted the attack will hit this year’s profits by around £300m, though Mr Norman said the firm hoped to recover some this cost from insurance payouts.

Asked about regulation, Mr Norman said he felt large companies should be required to report “material” cyber attacks.

“We have reason to believe that there have been two major cyber attacks of large British companies in the last four months that have gone unreported,” he said, though he did not provide any evidence for this.

Mr Norman admitted that the retailer had “legacy systems” because of the retailer’s age. “We probably wish we didn’t,” he said.

He added that “with the benefit of hindsight” the company would have brought forward its planned technology investment to strengthen its cyber-security systems.

“Would it have prevented the attack? Not necessarily, but that’s not a reason for not doing it.”

However, he hit back at the suggestion M&S’s systems were vulnerable.

“Just to be clear, there have been media reports that M&S left the back door open… that’s all Horlicks,” he said adding that “the attacker only has to be lucky once”.

“Ultimately, can the attacker get in? They probably can if they try hard enough.”

Mr Norman also revealed the attacker gained access to the system through “sophisticated impersonation”.

He said the firm handled the attack a lot better than it would have done when he joined in 2017. Back then, he said the business was “broken” and struggling with debt.

“If this had happened then, I think we would have been kippered,” he said.

Mr Norman said the firm had practise drills to prepare for a cyber attack but “nothing survives the first whiff of gunshot”.

“The simulation… was nothing like what happened, the intensity of it,” he said.