M&S chairman dodges questions on ransom payment after cyberattack
No one at M&S communicated directly with the hackers, Archie Norman says
Speaking before the UK Parliament's Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, Archie Norman refused to confirm whether the British retail giant paid a ransom to cyberattackers earlier this year.
Marks & Spencer (M&S) Chairman Archie Norman has refused to confirm whether the British retail giant paid a ransom following a cyberattack earlier this year, citing ongoing law enforcement involvement and the sensitive nature of the incident.
Speaking before the UK Parliament's Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, Norman told MPs: "We've said that we are not discussing any of the details of our interaction with the threat actor. We don't think it's in the public interest to go into that subject partly because it is a matter of law enforcement."
His comments came in response to questions sparked by remarks from MP David Davis in the House of Commons, in which Davis claimed an unnamed British company had recently paid a "significant ransom."
Norman declined to confirm if M&S was the company in question or whether it had received a direct ransomware demand.
The attack, which Norman attributed to the hacking group DragonForce, was first disclosed in May and rapidly became the stuff of nightmares for M&S.
The breach led to the theft of sensitive customer data – including names, dates of birth, email and home addresses, phone numbers, household details, and online purchase histories. Operations across M&S were severely disrupted for weeks, with empty shelves in stores and outages to online ordering services.
Norman insisted that no one at M&S communicated directly with the hackers.
"Nobody interacted directly with the cybercriminals," he told the panel, explaining that cyber professionals handled all engagement and that identification of the group responsible came from analysis of the attack vector.
"They never send you a letter signed Scattered Spider - that doesn't happen," he added, referencing another notorious ransomware gang who were thought to be connected to the attack.
"We didn't even hear from the threat actor for approximately a week after they penetrated our systems."
Norman described discovering communications from the hackers via mainstream media: "It was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people who are allegedly attacking your business."
The chairman firmly dismissed media reports claiming M&S had left systems vulnerable to attack.
Instead, Norman blamed a third-party contractor compromised through social engineering, though he declined to name the vendor involved.
As M&S continues recovery efforts, which Norman said could extend into October or November, the retailer is accelerating a major overhaul of its outdated IT infrastructure.
He described the attack as a "traumatic" and "out-of-body experience" for the company.
Despite the turmoil, Norman stressed the importance of openness and industry-wide learning. He also called for stronger government policy on mandatory cyber incident reporting.
"It's apparent to us that quite a large number of cyberattacks never get reported to the NCSC," he said.
He advocated for regulations requiring large companies to report "material" cyber incidents to the NCSC within a specified timeframe.
"I don't think it would be regulatory overkill," he said, "and it would enhance the central intelligence body around this."
The chairman noted that M&S had shared details of the attack early on with the NCSC, even before the story broke in the media, enabling the agency to warn other retailers, including the Co-op Group.
He also acknowledged that the company had received assistance from the US Federal Bureau of Investigation.
"The FBI was more muscled up," he said, suggesting that international cooperation played a key role in the response.