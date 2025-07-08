Rawpixel.com - stock.adobe.com
M&S calls for mandatory ransomware reporting
The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
Marks & Spencer chairman Archie Norman has described the recent ransomware attack on the retailer’s systems as something akin to an “out-of-body experience” as he called for cyber attack victims to be brave, bite the bullet, and be open and transparent about their experiences.
Speaking before the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls – in a session at which representatives from fellow attack victim Co-op Group and various cyber experts including former National Cyber Security Centre (NCSC) chief Ciaran Martin also gave evidence, Norman said that while he did not believe government can regulate its way to security, there was a role for it to play in making sure learnings from security incidents are discussed and dispersed, particularly at boardroom level.
He said M&S wanted to use its experience for the benefit of government and other businesses. “I’ve already got one or two boards that have invited me to come and see them and share our war stories, which I will certainly do,” he said.
“We do think that mandatory reporting is a very interesting idea,” said Norman. “It’s apparent to us that quite a large number of cyber attacks never get reported to the NCSC. In fact we have reason to believe there have been two major cyber attacks on large British companies in the last four months which have gone unreported.
“We think that’s a big deficit in our knowledge as to what’s happening. I don’t think it would be regulatory overkill to say if you have a material attack … for companies of a certain size you are required within a time limit to report those to the NCSC and that would enhance the central intelligence body around this.”
He said that early on – before reports of a cyber attack hit the front pages – M&S had shared all the information it had about the ongoing incident with the National Cyber Security Centre (NCSC) so that it could alert other retail businesses, likely including Co-op Group. He also revealed that M&S had received an undisclosed level of support from the US FBI, saying that the FBI was “more muscled up” in this regard.
Traumatic incident
Discussing the impact of the cyber attack, Norman said: “It’s fair to say that everybody at M&S experienced it. Our ordinary shop colleagues [were] working in ways they hadn’t worked for 30 years, working extra hours just to try to keep the show on the road. Let aside our tech colleagues, for a week probably the cyber team had no sleep…. Its not an overstatement to describe it as traumatic.
M&S is still rebuilding its business and expects to be doing so for some time to come, and recognising that its overall IT estate is a hodgepodge of legacy systems, Norman said the organisation is now moving up various phases of an ongoing tech refresh in the wake of the attack.
Commenting on remarks made in the House of Commons by MP David Davis that an unnamed British company had paid a significant ransom recently, Norman declined to say whether or not M&S was the organisation to which Davis was referring, and would not directly disclose whether or not the retailer had received a ransomware demand directly.
He said that early on M&S had taken a decision not to communicate directly with its attackers, leaving that to cyber professionals.
He added that for some time, M&S did not know who had attacked it. “They never send you a letter signed Scattered Spider – that doesn’t happen,” said Norman. “We didn’t even hear from the threat actor for approximately a week after they penetrated our systems. you rely completely upon your security advisors to say what they think is happening and they recognised the threat actor by the attack vector.
“Also they communicate through the media and in this case their chosen avenue of communication was principally the BBC. It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people who are allegedly attacking your business.”
Social engineering
Taking further questions from the panel, Norman went out of his way to explicitly deny media reports that suggested M&S had “left the back door open”, saying that the attack had occurred via social engineering via an undisclosed third-party, as has been extensively speculated over the past few weeks.
“The attack on M&S has been penned as sophisticated impersonation, in this case likely referring to the use of advanced social engineering tactics, potentially including deepfake audio or video, to convincingly pose as executives or trusted insiders,” said Richard LaTulip, field chief information security officer (CISO) at threat intelligence specialist Recorded Future.
“Protecting against sophisticated impersonation attacks requires a layered approach. While technical defences, such as multi-factor authentication and identity verification tools, are essential, the human layer remains the most vulnerable. That’s why ongoing training and executive-level awareness are critical. Employees, especially those in high-risk roles, must be educated to recognize social engineering tactics, including AI-generated deepfakes or urgent messages impersonating leadership.”
Timeline: Scattered Spider attacks in 2025
- 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
- 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
- 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
- 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
- 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
- 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
- 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
- 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
- 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
- 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
- 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same Scattered Spider gang that supposedly attacked M&S and Co-op in the UK.
- 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
- 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
- 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
- 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, the Scattered Spider cyber crime collective appears to be expanding its targeting to the insurance sector.
- 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from Scattered Spider attacks on M&S and Co-op.
- 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
- 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
- 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to Scattered Spider. Find out more and learn about the next steps for those affected.