Marks & Spencer chairman Archie Norman has described the recent ransomware attack on the retailer’s systems as something akin to an “out-of-body experience” as he called for cyber attack victims to be brave, bite the bullet, and be open and transparent about their experiences.
Speaking before the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls – in a session at which representatives from fellow attack victim Co-op Group and various cyber experts including former National Cyber Security Centre (NCSC) chief Ciaran Martin also gave evidence, Norman said that while he did not believe government can regulate its way to security, there was a role for it to play in making sure learnings from security incidents are discussed and dispersed, particularly at boardroom level.
He said M&S wanted to use its experience for the benefit of government and other businesses. “I’ve already got one or two boards that have invited me to come and see them and share our war stories, which I will certainly do,” he said.
“We do think that mandatory reporting is a very interesting idea,” said Norman. “It’s apparent to us that quite a large number of cyber attacks never get reported to the NCSC. In fact we have reason to believe there have been two major cyber attacks on large British companies in the last four months which have gone unreported.
“We think that’s a big deficit in our knowledge as to what’s happening. I don’t think it would be regulatory overkill to say if you have a material attack … for companies of a certain size you are required within a time limit to report those to the NCSC and that would enhance the central intelligence body around this.”
He said that early on – before reports of a cyber attack hit the front pages – M&S had shared all the information it had about the ongoing incident with the National Cyber Security Centre (NCSC) so that it could alert other retail businesses, likely including Co-op Group. He also revealed that M&S had received an undisclosed level of support from the US FBI, saying that the FBI was “more muscled up” in this regard.
Traumatic incident
Discussing the impact of the cyber attack, Norman said: “It’s fair to say that everybody at M&S experienced it. Our ordinary shop colleagues [were] working in ways they hadn’t worked for 30 years, working extra hours just to try to keep the show on the road. Let aside our tech colleagues, for a week probably the cyber team had no sleep…. Its not an overstatement to describe it as traumatic.
M&S is still rebuilding its business and expects to be doing so for some time to come, and recognising that its overall IT estate is a hodgepodge of legacy systems, Norman said the organisation is now moving up various phases of an ongoing tech refresh in the wake of the attack.
Commenting on remarks made in the House of Commons by MP David Davis that an unnamed British company had paid a significant ransom recently, Norman declined to say whether or not M&S was the organisation to which Davis was referring, and would not directly disclose whether or not the retailer had received a ransomware demand directly.
He said that early on M&S had taken a decision not to communicate directly with its attackers, leaving that to cyber professionals.
He added that for some time, M&S did not know who had attacked it. “They never send you a letter signed Scattered Spider – that doesn’t happen,” said Norman. “We didn’t even hear from the threat actor for approximately a week after they penetrated our systems. you rely completely upon your security advisors to say what they think is happening and they recognised the threat actor by the attack vector.
“Also they communicate through the media and in this case their chosen avenue of communication was principally the BBC. It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people who are allegedly attacking your business.”
Social engineering
Taking further questions from the panel, Norman went out of his way to explicitly deny media reports that suggested M&S had “left the back door open”, saying that the attack had occurred via social engineering via an undisclosed third-party, as has been extensively speculated over the past few weeks.
“The attack on M&S has been penned as sophisticated impersonation, in this case likely referring to the use of advanced social engineering tactics, potentially including deepfake audio or video, to convincingly pose as executives or trusted insiders,” said Richard LaTulip, field chief information security officer (CISO) at threat intelligence specialist Recorded Future.
“Protecting against sophisticated impersonation attacks requires a layered approach. While technical defences, such as multi-factor authentication and identity verification tools, are essential, the human layer remains the most vulnerable. That’s why ongoing training and executive-level awareness are critical. Employees, especially those in high-risk roles, must be educated to recognize social engineering tactics, including AI-generated deepfakes or urgent messages impersonating leadership.”
