Marks & Spencer remains in “rebuild mode” and will be for “some time yet” after a damaging cyberattack crippled operations and left store shelves empty, the retailer’s chairman has told MPs.
Archie Norman, giving evidence to the Business and Trade Committee, addressed the attack publicly for the first time, but declined to confirm whether the company paid a ransom.
“It’s a business and a principled decision,” he said. “When your systems are compromised and you’re rebuilding anyway, you have to ask what exactly you’re paying for.”
Pressed again on whether M&S had met the attackers’ demands, Mr Norman said the company would not comment on its interactions with the “threat actor”, but confirmed that the matter had been fully shared with the National Crime Agency (NCA).
“We don’t believe discussing this in public is in the interest of law enforcement,” he added.
The breach, which occurred on 17 April via “sophisticated impersonation” involving a third-party supplier, was not detected until two days later, on Easter Saturday.
M&S was directly contacted by the attackers roughly a week after the initial compromise. The retailer notified authorities the following day and informed customers on 22 April.
The FBI was also involved due to its stronger capabilities in cybercrime response. Mr Norman noted the agency was “very supportive.”
The cyberattack, potentially linked to the group Scattered Spider—suspected to include English-speaking teenagers—forced M&S to significantly curtail both in-store and online operations.
Despite this, the company made an early decision that no staff member would engage directly with the criminals.
“After an incident like this, there are a thousand things you wish you’d done differently,” Mr Norman admitted.
Warning to Businesses: “Be Ready to Operate Without IT”
Nick Folland, M&S’s General Counsel and Company Secretary, urged other firms to prepare for the worst.
“Make sure you can run your business on pen and paper,” he said, highlighting the importance of manual fallback procedures.
In response to the breach, M&S has tripled its cybersecurity team to 80 staff members and doubled its cyber defence spending. The company also, “curiously,” doubled its insurance cover last year, prior to the incident.
Mr Norman confirmed that the retailer would be making a “substantial” insurance claim. The £300 million in expected losses does not include potential insurance recovery, which will take around 18 months to process.
